diff options
| author | Ade Lee <alee@redhat.com> | 2012-01-11 12:57:53 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2012-01-11 13:49:04 -0500 |
| commit | 10cfe7756e967ac91c66d33b392aeab9cf3780fb (patch) | |
| tree | d5ac9b58442265d2ce5ef60e31f041ddacba1b4f /pki/base/common/src/com/netscape/cms/policy/constraints | |
| parent | edcb24f65cc3700e75d0a1d14dc2483f210b0ee4 (diff) | |
| download | pki-10cfe7756e967ac91c66d33b392aeab9cf3780fb.tar.gz pki-10cfe7756e967ac91c66d33b392aeab9cf3780fb.tar.xz pki-10cfe7756e967ac91c66d33b392aeab9cf3780fb.zip | |
Formatting (no line wrap in comments or code)
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints')
16 files changed, 579 insertions, 650 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java b/pki/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java index 3aeadabe5..c9e9401a5 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Vector; import com.netscape.certsrv.apps.CMS; @@ -30,24 +29,24 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * AgentPolicy is an enrollment policy wraps another policy module. - * Requests are sent first to the contained module, but if the - * policy indicates that the request should be deferred, a check - * for agent approvals is done. If any are found, the request - * is approved. + * Requests are sent first to the contained module, but if the + * policy indicates that the request should be deferred, a check + * for agent approvals is done. If any are found, the request + * is approved. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class AgentPolicy extends APolicyRule - implements IEnrollmentPolicy { + implements IEnrollmentPolicy { public AgentPolicy() { NAME = "AgentPolicy"; DESC = "Agent Approval Policy"; @@ -56,19 +55,15 @@ public class AgentPolicy extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=AgentPolicy - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com - * ra.Policy.rule.<ruleName>.class=xxxx - * ra.Policy.rule.<ruleName>.params.* - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=AgentPolicy ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com ra.Policy.rule.<ruleName>.class=xxxx ra.Policy.rule.<ruleName>.params.* + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Create subordinate object String className = (String) config.get("class"); @@ -79,14 +74,14 @@ public class AgentPolicy extends APolicyRule try { @SuppressWarnings("unchecked") - Class<APolicyRule> c = (Class<APolicyRule>) Class.forName(className); + Class<APolicyRule> c = (Class<APolicyRule>) Class.forName(className); Object o = c.newInstance(); if (!(o instanceof APolicyRule)) { throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CLASS", - getInstanceName(), className)); + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CLASS", + getInstanceName(), className)); } APolicyRule pr = (APolicyRule) o; @@ -100,7 +95,7 @@ public class AgentPolicy extends APolicyRule System.err.println("Agent Policy Error: " + e); throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_LOADING_POLICY_ERROR", - getInstanceName(), className)); + getInstanceName(), className)); } } } @@ -108,8 +103,8 @@ public class AgentPolicy extends APolicyRule /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -144,7 +139,7 @@ public class AgentPolicy extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector<String> getInstanceParams() { @@ -153,13 +148,12 @@ public class AgentPolicy extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector<String> getDefaultParams() { return null; } - APolicyRule mPolicy = null; + APolicyRule mPolicy = null; } - diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java index 90e81ed4b..93327445e 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Enumeration; import java.util.Hashtable; import java.util.Locale; @@ -44,20 +43,20 @@ import com.netscape.certsrv.request.PolicyResult; import com.netscape.certsrv.request.RequestId; import com.netscape.cms.policy.APolicyRule; - /** * This checks if attribute present. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class AttributePresentConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { +public class AttributePresentConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_ENABLED = "enabled"; protected static final String PROP_LDAP = "ldap"; @@ -82,42 +81,42 @@ public class AttributePresentConstraints extends APolicyRule public String[] getExtendedPluginInfo(Locale locale) { String params[] = { PROP_ATTR + ";string,required;Ldap attribute to check presence of (default " + - DEF_ATTR + ")", + DEF_ATTR + ")", PROP_VALUE + ";string;if this parameter is non-empty, the attribute must " + - "match this value for the request to proceed ", + "match this value for the request to proceed ", PROP_LDAP_BASE + ";string,required;Base DN to start searching " + - "under. If your user's DN is 'uid=jsmith, o=company', you " + - "might want to use 'o=company' here", + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here", PROP_LDAP_HOST + ";string,required;" + - "LDAP host to connect to", + "LDAP host to connect to", PROP_LDAP_PORT + ";number,required;" + - "LDAP port number (use 389, or 636 if SSL)", + "LDAP port number (use 389, or 636 if SSL)", PROP_LDAP_SSL + ";boolean;" + - "Use SSL to connect to directory?", + "Use SSL to connect to directory?", PROP_LDAP_VER + ";choice(3,2),required;" + - "LDAP protocol version", + "LDAP protocol version", PROP_LDAP_BIND + ";string;DN to bind as for attribute checking. " + - "For example 'CN=Pincheck User'", + "For example 'CN=Pincheck User'", PROP_LDAP_PW + ";password;Enter password used to bind as " + - "the above user", + "the above user", PROP_LDAP_AUTH + ";choice(BasicAuth,SslClientAuth),required;" + - "How to bind to the directory", + "How to bind to the directory", PROP_LDAP_CERT + ";string;If you want to use " + - "SSL client auth to the directory, set the client " + - "cert nickname here", + "SSL client auth to the directory, set the client " + + "cert nickname here", PROP_LDAP_BASE + ";string,required;Base DN to start searching " + - "under. If your user's DN is 'uid=jsmith, o=company', you " + - "might want to use 'o=company' here", + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here", PROP_LDAP_MINC + ";number;number of connections " + - "to keep open to directory server. Default " + DEF_LDAP_MINC, + "to keep open to directory server. Default " + DEF_LDAP_MINC, PROP_LDAP_MAXC + ";number;when needed, connection " + - "pool can grow to this many (multiplexed) connections. Default " + DEF_LDAP_MAXC, + "pool can grow to this many (multiplexed) connections. Default " + DEF_LDAP_MAXC, IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-pinpresent", + ";configuration-policyrules-pinpresent", IExtendedPluginInfo.HELP_TEXT + - ";" + DESC + " This plugin can be used to " + - "check the presence (and, optionally, the value) of any LDAP " + - "attribute for the user. " + ";" + DESC + " This plugin can be used to " + + "check the presence (and, optionally, the value) of any LDAP " + + "attribute for the user. " }; return params; @@ -179,9 +178,9 @@ public class AttributePresentConstraints extends APolicyRule protected static final String PROP_VALUE = "value"; protected static final String DEF_VALUE = ""; - protected static Vector<String> mParamNames; + protected static Vector<String> mParamNames; protected static Hashtable<String, Object> mParamDefault; - protected Hashtable<String, Object> mParamValue = null; + protected Hashtable<String, Object> mParamValue = null; static { mParamNames = new Vector<String>(); @@ -200,7 +199,7 @@ public class AttributePresentConstraints extends APolicyRule addParam(PROP_ATTR, DEF_ATTR); addParam(PROP_VALUE, DEF_VALUE); }; - + protected static void addParam(String name, Object value) { mParamNames.addElement(name); mParamDefault.put(name, value); @@ -209,8 +208,8 @@ public class AttributePresentConstraints extends APolicyRule protected void getStringConfigParam(IConfigStore config, String paramName) { try { mParamValue.put( - paramName, config.getString(paramName, (String) mParamDefault.get(paramName)) - ); + paramName, config.getString(paramName, (String) mParamDefault.get(paramName)) + ); } catch (Exception e) { } } @@ -218,12 +217,12 @@ public class AttributePresentConstraints extends APolicyRule protected void getIntConfigParam(IConfigStore config, String paramName) { try { mParamValue.put( - paramName, Integer.valueOf( - config.getInteger(paramName, - ((Integer) mParamDefault.get(paramName)).intValue() - ) - ) - ); + paramName, Integer.valueOf( + config.getInteger(paramName, + ((Integer) mParamDefault.get(paramName)).intValue() + ) + ) + ); } catch (Exception e) { } } @@ -231,18 +230,18 @@ public class AttributePresentConstraints extends APolicyRule protected void getBooleanConfigParam(IConfigStore config, String paramName) { try { mParamValue.put( - paramName, Boolean.valueOf( - config.getBoolean(paramName, - ((Boolean) mParamDefault.get(paramName)).booleanValue() - ) - ) - ); + paramName, Boolean.valueOf( + config.getBoolean(paramName, + ((Boolean) mParamDefault.get(paramName)).booleanValue() + ) + ) + ); } catch (Exception e) { } } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; mParamValue = new Hashtable<String, Object>(); @@ -277,7 +276,7 @@ public class AttributePresentConstraints extends APolicyRule String requestType = r.getRequestType(); if (requestType.equals(IRequest.ENROLLMENT_REQUEST) || - requestType.equals(IRequest.RENEWAL_REQUEST)) { + requestType.equals(IRequest.RENEWAL_REQUEST)) { String uid = r.getExtDataInString(IRequest.HTTP_PARAMS, "uid"); @@ -291,10 +290,10 @@ public class AttributePresentConstraints extends APolicyRule try { String[] attrs = { (String) mParamValue.get(PROP_ATTR) }; - LDAPSearchResults searchResult = - mCheckAttrLdapConnection.search((String) mParamValue.get(PROP_LDAP_BASE), - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", attrs, false); - + LDAPSearchResults searchResult = + mCheckAttrLdapConnection.search((String) mParamValue.get(PROP_LDAP_BASE), + LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", attrs, false); + if (!searchResult.hasMoreElements()) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), ""); @@ -304,12 +303,12 @@ public class AttributePresentConstraints extends APolicyRule LDAPEntry entry = (LDAPEntry) searchResult.nextElement(); userdn = entry.getDN(); - + LDAPAttribute attr = entry.getAttribute((String) mParamValue.get(PROP_ATTR)); /* if attribute not present, reject the request */ if (attr == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn)); setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), ""); return PolicyResult.REJECTED; } @@ -331,7 +330,7 @@ public class AttributePresentConstraints extends APolicyRule return PolicyResult.REJECTED; } } - + CMS.debug("AttributePresentConstraints: Attribute is present for user: \"" + userdn + "\""); } catch (LDAPException e) { @@ -344,7 +343,7 @@ public class AttributePresentConstraints extends APolicyRule return res; } - public Vector<String> getInstanceParams() { + public Vector<String> getInstanceParams() { Vector<String> params = new Vector<String>(); Enumeration<String> e = mParamNames.elements(); @@ -397,10 +396,11 @@ public class AttributePresentConstraints extends APolicyRule } protected void log(int level, String msg) { - if (mLogger == null) return; + if (mLogger == null) + return; mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER, - level, "AttributePresentConstraints: " + msg); + level, "AttributePresentConstraints: " + msg); } } diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java index 3caee615e..b9a6e24ad 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.math.BigInteger; import java.security.interfaces.DSAParams; import java.util.Locale; @@ -40,20 +39,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * DSAKeyConstraints policy enforces min and max size of the key. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class DSAKeyConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { private int mMinSize; private int mMaxSize; @@ -73,7 +72,7 @@ public class DSAKeyConstraints extends APolicyRule defConfParams.addElement(PROP_MIN_SIZE + "=" + DEF_MIN_SIZE); defConfParams.addElement(PROP_MAX_SIZE + "=" + DEF_MAX_SIZE); } - + public DSAKeyConstraints() { NAME = "DSAKeyConstraints"; DESC = "Enforces DSA Key Constraints."; @@ -84,9 +83,9 @@ public class DSAKeyConstraints extends APolicyRule PROP_MIN_SIZE + ";number;Minimum key size", PROP_MAX_SIZE + ";number;Maximum key size", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-dsakeyconstraints", + ";configuration-policyrules-dsakeyconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Rejects request if DSA key size is out of range" + ";Rejects request if DSA key size is out of range" }; return params; @@ -95,18 +94,13 @@ public class DSAKeyConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * - * The entries probably are of the form - * ra.Policy.rule.<ruleName>.implName=DSAKeyConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minSize=512 - * ra.Policy.rule.<ruleName>.maxSize=1024 - * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com - * - * @param config The config store reference + * + * The entries probably are of the form ra.Policy.rule.<ruleName>.implName=DSAKeyConstraints ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.minSize=512 ra.Policy.rule.<ruleName>.maxSize=1024 ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get Min and Max sizes mConfig = config; @@ -120,34 +114,34 @@ public class DSAKeyConstraints extends APolicyRule log(ILogger.LL_FAILURE, PROP_MAX_SIZE + " " + msg); throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - PROP_MAX_SIZE, msg)); + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_MAX_SIZE, msg)); } if (mMinSize < DEF_MIN_SIZE) { String msg = "cannot be less than " + DEF_MIN_SIZE; log(ILogger.LL_FAILURE, PROP_MIN_SIZE + " " + msg); throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - PROP_MIN_SIZE, msg)); + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_MIN_SIZE, msg)); } if (mMaxSize % INCREMENT != 0) { String msg = "must be in increments of " + INCREMENT; log(ILogger.LL_FAILURE, PROP_MAX_SIZE + " " + msg); throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - PROP_MIN_SIZE, msg)); + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_MIN_SIZE, msg)); } if (mMaxSize % INCREMENT != 0) { String msg = "must be in increments of " + INCREMENT; log(ILogger.LL_FAILURE, PROP_MIN_SIZE + " " + msg); throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - PROP_MIN_SIZE, msg)); + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_MIN_SIZE, msg)); } - + config.putInteger(PROP_MIN_SIZE, mMinSize); config.putInteger(PROP_MAX_SIZE, mMaxSize); @@ -160,8 +154,8 @@ public class DSAKeyConstraints extends APolicyRule /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -171,7 +165,7 @@ public class DSAKeyConstraints extends APolicyRule try { // Get the certificate info from the request X509CertInfo ci[] = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // There should be a certificate info set. if (ci == null || ci[0] == null) { @@ -182,19 +176,19 @@ public class DSAKeyConstraints extends APolicyRule // Else check if the key size(s) are within the limit. for (int i = 0; i < ci.length; i++) { CertificateX509Key certKey = (CertificateX509Key) - ci[i].get(X509CertInfo.KEY); + ci[i].get(X509CertInfo.KEY); X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY); String alg = key.getAlgorithmId().toString(); if (!alg.equalsIgnoreCase(DSA)) continue; - // Check DSAKey parameters. - // size refers to the p parameter. + // Check DSAKey parameters. + // size refers to the p parameter. DSAPublicKey dsaKey = new DSAPublicKey(key.getEncoded()); DSAParams keyParams = dsaKey.getParams(); - if (keyParams == null) { + if (keyParams == null) { // key parameters could not be parsed. Object[] params = new Object[] { getInstanceName(), String.valueOf(i + 1) }; @@ -205,11 +199,11 @@ public class DSAKeyConstraints extends APolicyRule BigInteger p = keyParams.getP(); int len = p.bitLength(); - if (len < mMinSize || len > mMaxSize || - (len % INCREMENT) != 0) { - String[] parms = new String[] { - getInstanceName(), - String.valueOf(len), + if (len < mMinSize || len > mMaxSize || + (len % INCREMENT) != 0) { + String[] parms = new String[] { + getInstanceName(), + String.valueOf(len), String.valueOf(mMinSize), String.valueOf(mMaxSize), String.valueOf(INCREMENT) }; @@ -220,7 +214,7 @@ public class DSAKeyConstraints extends APolicyRule } } catch (Exception e) { // e.printStackTrace(); - String[] params = { getInstanceName(), e.toString()}; + String[] params = { getInstanceName(), e.toString() }; setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; @@ -230,27 +224,27 @@ public class DSAKeyConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector confParams = new Vector(); try { confParams.addElement(PROP_MIN_SIZE + "=" + mConfig.getInteger(PROP_MIN_SIZE, DEF_MIN_SIZE)); confParams.addElement(PROP_MAX_SIZE + "=" + mConfig.getInteger(PROP_MAX_SIZE, DEF_MAX_SIZE)); - } catch (EBaseException e) {; + } catch (EBaseException e) { + ; } return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return defConfParams; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java b/pki/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java index 3d4aedc34..fd1436469 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Locale; import java.util.Vector; @@ -30,22 +29,22 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * This is the default revocation policy. Currently this does * nothing. We can later add checks like whether or not to * revoke expired certs ..etc here. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class DefaultRevocation extends APolicyRule - implements IRevocationPolicy, IExtendedPluginInfo { + implements IRevocationPolicy, IExtendedPluginInfo { public DefaultRevocation() { NAME = "DefaultRevocation"; DESC = "Default Revocation Policy"; @@ -54,24 +53,22 @@ public class DefaultRevocation extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=DefaultRevocation - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=DefaultRevocation ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -80,7 +77,7 @@ public class DefaultRevocation extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { @@ -89,7 +86,7 @@ public class DefaultRevocation extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { @@ -104,4 +101,3 @@ public class DefaultRevocation extends APolicyRule return params; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java index aed75bcd0..f79688f4a 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Locale; import java.util.Vector; @@ -35,29 +34,29 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * IssuerConstraints is a rule for restricting the issuers of the * certificates used for certificate-based enrollments. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$ $Date$ */ public class IssuerConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { private final static String PROP_ISSUER_DN = "issuerDN"; private static final String CLIENT_ISSUER = "clientIssuer"; private X500Name mIssuerDN = null; private String mIssuerDNString; /** - * checks the issuer of the ssl client-auth cert. Only one issuer - * is allowed for now + * checks the issuer of the ssl client-auth cert. Only one issuer + * is allowed for now */ public IssuerConstraints() { NAME = "IssuerConstraints"; @@ -68,10 +67,10 @@ public class IssuerConstraints extends APolicyRule String[] params = { PROP_ISSUER_DN + ";string;Subject DN of the Issuer. The IssuerDN of the authenticating cert must match what's specified here", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-issuerconstraints", + ";configuration-policyrules-issuerconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Rejects the request if the issuer in the certificate is" + - "not of the one specified" + ";Rejects the request if the issuer in the certificate is" + + "not of the one specified" }; return params; @@ -81,34 +80,35 @@ public class IssuerConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * @param config The config store reference + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { try { mIssuerDNString = config.getString(PROP_ISSUER_DN, null); - if ((mIssuerDNString != null) && - !mIssuerDNString.equals("")) { + if ((mIssuerDNString != null) && + !mIssuerDNString.equals("")) { mIssuerDN = new X500Name(mIssuerDNString); } } catch (Exception e) { - log(ILogger.LL_FAILURE, - NAME + CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); + log(ILogger.LL_FAILURE, + NAME + CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); - String[] params = {getInstanceName(), e.toString()}; + String[] params = { getInstanceName(), e.toString() }; throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); } CMS.debug( - NAME + ": init() done"); + NAME + ": init() done"); } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -125,82 +125,82 @@ public class IssuerConstraints extends APolicyRule if (!ci_name.equals(mIssuerDN)) { setError(req, - CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER", - getInstanceName()), ""); + CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER", + getInstanceName()), ""); result = PolicyResult.REJECTED; log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); + CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); CMS.debug( - NAME + ": apply() - issuerDN mismatch: client issuerDN = " + clientIssuerDN + "; expected issuerDN = " + mIssuerDNString); + NAME + ": apply() - issuerDN mismatch: client issuerDN = " + clientIssuerDN + "; expected issuerDN = " + mIssuerDNString); } } else { // Get the certificate info from the request X509CertInfo certInfo[] = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (certInfo == null) { - log(ILogger.LL_FAILURE, - NAME + ": apply() - missing certInfo"); - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + log(ILogger.LL_FAILURE, + NAME + ": apply() - missing certInfo"); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", getInstanceName()), ""); return PolicyResult.REJECTED; } - + for (int i = 0; i < certInfo.length; i++) { String oldIssuer = (String) - certInfo[i].get(X509CertInfo.ISSUER).toString(); - + certInfo[i].get(X509CertInfo.ISSUER).toString(); + if (oldIssuer == null) { setError(req, - CMS.getUserMessage("CMS_POLICY_CLIENT_ISSUER_NOT_FOUND", - getInstanceName()), ""); + CMS.getUserMessage("CMS_POLICY_CLIENT_ISSUER_NOT_FOUND", + getInstanceName()), ""); result = PolicyResult.REJECTED; - log(ILogger.LL_FAILURE, - NAME + ": apply() - client issuerDN not found"); + log(ILogger.LL_FAILURE, + NAME + ": apply() - client issuerDN not found"); } X500Name oi_name = new X500Name(oldIssuer); if (!oi_name.equals(mIssuerDN)) { setError(req, - CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER", - getInstanceName()), ""); + CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER", + getInstanceName()), ""); result = PolicyResult.REJECTED; - log(ILogger.LL_FAILURE, - NAME + ": apply() - cert issuerDN mismatch: client issuerDN = " + oldIssuer + "; expected issuerDN = " + mIssuerDNString); + log(ILogger.LL_FAILURE, + NAME + ": apply() - cert issuerDN mismatch: client issuerDN = " + oldIssuer + "; expected issuerDN = " + mIssuerDNString); } } } } catch (Exception e) { - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } if (result.equals(PolicyResult.ACCEPTED)) { - log(ILogger.LL_INFO, - NAME + ": apply() - accepted"); + log(ILogger.LL_INFO, + NAME + ": apply() - accepted"); } return result; } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); confParams.addElement(PROP_ISSUER_DN + "=" + - mIssuerDNString); + mIssuerDNString); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java index 8286cf319..c523ae9f2 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Enumeration; import java.util.Locale; import java.util.StringTokenizer; @@ -37,43 +36,43 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * KeyAlgorithmConstraints enforces a constraint that the RA or a CA * honor only the keys generated using one of the permitted algorithms * such as RSA, DSA or DH. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class KeyAlgorithmConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { private Vector mAlgorithms; private final static String DEF_KEY_ALGORITHM = "RSA,DSA"; private final static String PROP_ALGORITHMS = "algorithms"; private final static String[] supportedAlgorithms = - {"RSA", "DSA", "DH" }; + { "RSA", "DSA", "DH" }; private final static Vector defConfParams = new Vector(); static { - defConfParams.addElement(PROP_ALGORITHMS + "=" + - DEF_KEY_ALGORITHM); + defConfParams.addElement(PROP_ALGORITHMS + "=" + + DEF_KEY_ALGORITHM); } public String[] getExtendedPluginInfo(Locale locale) { String params[] = { "algorithms;choice(RSA\\,DSA,RSA,DSA);Certificate's key can be one of these algorithms", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-keyalgorithmconstraints", + ";configuration-policyrules-keyalgorithmconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Rejects the request if the key in the certificate is " + - "not of the type specified" + ";Rejects the request if the key in the certificate is " + + "not of the type specified" }; return params; @@ -87,17 +86,13 @@ public class KeyAlgorithmConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * - * The entries probably are of the form - * ra.Policy.rule.<ruleName>.implName=KeyAlgorithmConstraints - * ra.Policy.rule.<ruleName>.algorithms=RSA,DSA - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * + * The entries probably are of the form ra.Policy.rule.<ruleName>.implName=KeyAlgorithmConstraints ra.Policy.rule.<ruleName>.algorithms=RSA,DSA ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { mAlgorithms = new Vector(); @@ -112,7 +107,7 @@ public class KeyAlgorithmConstraints extends APolicyRule try { algNames = config.getString(PROP_ALGORITHMS, null); } catch (Exception e) { - String[] params = {getInstanceName(), e.toString()}; + String[] params = { getInstanceName(), e.toString() }; throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); @@ -133,11 +128,10 @@ public class KeyAlgorithmConstraints extends APolicyRule } // Check if configured algorithms are supported. - for (Enumeration e = mAlgorithms.elements(); - e.hasMoreElements();) { + for (Enumeration e = mAlgorithms.elements(); e.hasMoreElements();) { int i; String configuredAlg = (String) e.nextElement(); - + // See if it is a supported algorithm. for (i = 0; i < supportedAlgorithms.length; i++) { if (configuredAlg.equals(supportedAlgorithms[i])) @@ -148,15 +142,15 @@ public class KeyAlgorithmConstraints extends APolicyRule if (i == supportedAlgorithms.length) throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_UNSUPPORTED_KEY_ALG", - getInstanceName(), configuredAlg)); + getInstanceName(), configuredAlg)); } } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -179,18 +173,18 @@ public class KeyAlgorithmConstraints extends APolicyRule // Else check if the key algorithm is supported. for (int i = 0; i < certInfo.length; i++) { CertificateX509Key certKey = (CertificateX509Key) - certInfo[i].get(X509CertInfo.KEY); + certInfo[i].get(X509CertInfo.KEY); X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY); String alg = key.getAlgorithmId().getName().toUpperCase(); if (!mAlgorithms.contains(alg)) { - setError(req, CMS.getUserMessage("CMS_POLICY_KEY_ALG_VIOLATION", + setError(req, CMS.getUserMessage("CMS_POLICY_KEY_ALG_VIOLATION", getInstanceName(), alg), ""); result = PolicyResult.REJECTED; } } } catch (Exception e) { - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); @@ -201,10 +195,10 @@ public class KeyAlgorithmConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector v = new Vector(); StringBuffer sb = new StringBuffer(); @@ -217,14 +211,13 @@ public class KeyAlgorithmConstraints extends APolicyRule v.addElement(PROP_ALGORITHMS + "=" + sb.toString()); return v; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return defConfParams; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java b/pki/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java index a2bf94373..1abc5bda0 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Vector; import com.netscape.certsrv.authentication.IAuthToken; @@ -29,23 +28,23 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * ManualAuthentication is an enrollment policy that queues * all requests for issuing agent's approval if no authentication * is present. The policy rejects a request if any of the auth tokens * indicates authentication failure. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class ManualAuthentication extends APolicyRule - implements IEnrollmentPolicy { + implements IEnrollmentPolicy { public ManualAuthentication() { NAME = "ManualAuthentication"; DESC = "Manual Authentication Policy"; @@ -54,30 +53,28 @@ public class ManualAuthentication extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=ManualAuthentication - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ManualAuthentication ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { IAuthToken authToken = req.getExtDataInAuthToken(IRequest.AUTH_TOKEN); - if (authToken == null) + if (authToken == null) return deferred(req); return PolicyResult.ACCEPTED; @@ -85,7 +82,7 @@ public class ManualAuthentication extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { @@ -94,11 +91,10 @@ public class ManualAuthentication extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return null; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java index 7f7537bfe..57176950a 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Enumeration; import java.util.Locale; import java.util.StringTokenizer; @@ -41,21 +40,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * RSAKeyConstraints policy enforces min and max size of the key. * Optionally checks the exponents. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class RSAKeyConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { private Vector mExponents; private int mMinSize; private int mMaxSize; @@ -81,10 +80,10 @@ public class RSAKeyConstraints extends APolicyRule PROP_MAX_SIZE + ";number;Maximum size of user's RSA key (bits)", PROP_EXPONENTS + ";string;Comma-separated list of permissible exponents", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-rsakeyconstraints", + ";configuration-policyrules-rsakeyconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Reject request if RSA key length is not within the " + - "specified constraints" + ";Reject request if RSA key length is not within the " + + "specified constraints" }; return params; @@ -98,38 +97,34 @@ public class RSAKeyConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=RSAKeyConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minSize=512 - * ra.Policy.rule.<ruleName>.maxSize=2048 - * ra.Policy.rule.<ruleName>.predicate=ou==Marketing - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=RSAKeyConstraints ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.minSize=512 ra.Policy.rule.<ruleName>.maxSize=2048 ra.Policy.rule.<ruleName>.predicate=ou==Marketing + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { if (config == null || config.size() == 0) throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_MISSING_POLICY_CONFIG", - getInstanceName())); + getInstanceName())); String exponents = null; // Get Min and Max sizes mMinSize = config.getInteger(PROP_MIN_SIZE, DEF_MIN_SIZE); mMaxSize = config.getInteger(PROP_MAX_SIZE, DEF_MAX_SIZE); - if (mMinSize <= 0) + if (mMinSize <= 0) throw new EBaseException( CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_MIN_SIZE)); - if (mMaxSize <= 0) + if (mMaxSize <= 0) throw new EBaseException( CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_MAX_SIZE)); - if (mMinSize > mMaxSize) + if (mMinSize > mMaxSize) throw new EBaseException( CMS.getUserMessage("CMS_BASE_A_GREATER_THAN_EQUAL_B", PROP_MIN_SIZE, PROP_MAX_SIZE)); @@ -149,8 +144,8 @@ public class RSAKeyConstraints extends APolicyRule } } catch (Exception e) { // e.printStackTrace(); - String[] params = {getInstanceName(), exponents, - PROP_EXPONENTS}; + String[] params = { getInstanceName(), exponents, + PROP_EXPONENTS }; throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_INVALID_CONFIG_PARAM", params)); @@ -161,8 +156,8 @@ public class RSAKeyConstraints extends APolicyRule /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -172,11 +167,11 @@ public class RSAKeyConstraints extends APolicyRule try { // Get the certificate info from the request X509CertInfo certInfo[] = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // There should be a certificate info set. if (certInfo == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", getInstanceName()), ""); return PolicyResult.REJECTED; } @@ -184,7 +179,7 @@ public class RSAKeyConstraints extends APolicyRule // Else check if the key size(s) are within the limit. for (int i = 0; i < certInfo.length; i++) { CertificateX509Key certKey = (CertificateX509Key) - certInfo[i].get(X509CertInfo.KEY); + certInfo[i].get(X509CertInfo.KEY); X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY); String alg = key.getAlgorithmId().toString(); @@ -196,22 +191,22 @@ public class RSAKeyConstraints extends APolicyRule newkey = new X509Key(AlgorithmId.get("RSA"), key.getKey()); } catch (Exception e) { - CMS.debug( "RSAKeyConstraints::apply() - " - + "Exception="+e.toString() ); - setError( req, - CMS.getUserMessage( "CMS_POLICY_KEY_SIZE_VIOLATION", - getInstanceName() ), - "" ); + CMS.debug("RSAKeyConstraints::apply() - " + + "Exception=" + e.toString()); + setError(req, + CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION", + getInstanceName()), + ""); return PolicyResult.REJECTED; } RSAPublicKey rsaKey = new RSAPublicKey(newkey.getEncoded()); int keySize = rsaKey.getKeySize(); if (keySize < mMinSize || keySize > mMaxSize) { - String[] params = {getInstanceName(), - String.valueOf(keySize), + String[] params = { getInstanceName(), + String.valueOf(keySize), String.valueOf(mMinSize), - String.valueOf(mMaxSize)}; + String.valueOf(mMaxSize) }; setError(req, CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION", params), ""); @@ -226,15 +221,14 @@ public class RSAKeyConstraints extends APolicyRule if (!mExponents.contains(exp)) { StringBuffer sb = new StringBuffer(); - for (Enumeration e = mExponents.elements(); - e.hasMoreElements();) { + for (Enumeration e = mExponents.elements(); e.hasMoreElements();) { BigInt bi = (BigInt) e.nextElement(); sb.append(bi.toBigInteger().toString()); sb.append(" "); } - String[] params = {getInstanceName(), - exp.toBigInteger().toString(), new String(sb)}; + String[] params = { getInstanceName(), + exp.toBigInteger().toString(), new String(sb) }; setError(req, CMS.getUserMessage("CMS_POLICY_EXPONENT_VIOLATION", params), ""); result = PolicyResult.REJECTED; @@ -243,7 +237,7 @@ public class RSAKeyConstraints extends APolicyRule } } catch (Exception e) { // e.printStackTrace(); - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; @@ -253,10 +247,10 @@ public class RSAKeyConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector confParams = new Vector(); confParams.addElement(PROP_MIN_SIZE + "=" + mMinSize); @@ -275,11 +269,10 @@ public class RSAKeyConstraints extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return defConfParams; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java index 08e479b84..499e2663b 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -37,21 +36,22 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Whether to allow renewal of an expired cert. + * * @version $Revision$, $Date$ - * <P> - * <PRE> + * <P> + * + * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> - * <P> - * + * <P> + * * @deprecated * @version $Revision$, $Date$ */ public class RenewalConstraints extends APolicyRule - implements IRenewalPolicy, IExtendedPluginInfo { + implements IRenewalPolicy, IExtendedPluginInfo { private static final String PROP_ALLOW_EXPIRED_CERTS = "allowExpiredCerts"; private static final String PROP_RENEWAL_NOT_AFTER = "renewalNotAfter"; @@ -66,7 +66,7 @@ public class RenewalConstraints extends APolicyRule static { defConfParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" + true); defConfParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + - DEF_RENEWAL_NOT_AFTER); + DEF_RENEWAL_NOT_AFTER); } public RenewalConstraints() { @@ -79,10 +79,10 @@ public class RenewalConstraints extends APolicyRule PROP_ALLOW_EXPIRED_CERTS + ";boolean;Allow a user to renew an already-expired certificate", PROP_RENEWAL_NOT_AFTER + ";number;Number of days since certificate expiry after which renewal request would be rejected", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-renewalconstraints", + ";configuration-policyrules-renewalconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Permit administrator to decide policy on whether to " + - "permit renewals for already-expired certificates" + ";Permit administrator to decide policy on whether to " + + "permit renewals for already-expired certificates" }; return params; @@ -92,24 +92,22 @@ public class RenewalConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.allowExpiredCerts=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.allowExpiredCerts=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and configure them. try { - mAllowExpiredCerts = + mAllowExpiredCerts = config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, true); String val = config.getString(PROP_RENEWAL_NOT_AFTER, null); - if (val == null) + if (val == null) mRenewalNotAfter = DEF_RENEWAL_NOT_AFTER * DAYS_TO_MS_FACTOR; else { mRenewalNotAfter = Long.parseLong(val) * DAYS_TO_MS_FACTOR; @@ -125,8 +123,8 @@ public class RenewalConstraints extends APolicyRule /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -135,25 +133,25 @@ public class RenewalConstraints extends APolicyRule try { // Get the certificates being renwed. X509CertImpl[] oldCerts = - req.getExtDataInCertArray(IRequest.OLD_CERTS); + req.getExtDataInCertArray(IRequest.OLD_CERTS); if (oldCerts == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT", getInstanceName()), ""); return PolicyResult.REJECTED; } - + if (mAllowExpiredCerts) { CMS.debug("checking validity of each cert"); // check if each cert to be renewed is expired for more than // allowed days. for (int i = 0; i < oldCerts.length; i++) { X509CertInfo oldCertInfo = (X509CertInfo) - oldCerts[i].get(X509CertImpl.NAME + "." + - X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) - oldCertInfo.get(X509CertInfo.VALIDITY); + oldCerts[i].get(X509CertImpl.NAME + "." + + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); Date notAfter = (Date) - oldValidity.get(CertificateValidity.NOT_AFTER); + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate eligible for renewal ? @@ -166,12 +164,12 @@ public class RenewalConstraints extends APolicyRule if (renewedNotAfter.before(now)) { CMS.debug( - "One or more certificates is expired for more than " + (mRenewalNotAfter / DAYS_TO_MS_FACTOR) + " days"); + "One or more certificates is expired for more than " + (mRenewalNotAfter / DAYS_TO_MS_FACTOR) + " days"); String params[] = { getInstanceName(), Long.toString(mRenewalNotAfter / DAYS_TO_MS_FACTOR) }; - setError(req, - CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD", - params), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD", + params), ""); return PolicyResult.REJECTED; } } @@ -182,12 +180,12 @@ public class RenewalConstraints extends APolicyRule // check if each cert to be renewed is expired. for (int i = 0; i < oldCerts.length; i++) { X509CertInfo oldCertInfo = (X509CertInfo) - oldCerts[i].get( - X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) - oldCertInfo.get(X509CertInfo.VALIDITY); + oldCerts[i].get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); Date notAfter = (Date) - oldValidity.get(CertificateValidity.NOT_AFTER); + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate still valid? Date now = CMS.getCurrentDate(); @@ -195,19 +193,19 @@ public class RenewalConstraints extends APolicyRule CMS.debug("RenewalConstraints: cert " + i + " notAfter " + notAfter + " now=" + now); if (notAfter.before(now)) { CMS.debug( - "RenewalConstraints: One or more certificates is expired."); + "RenewalConstraints: One or more certificates is expired."); String params[] = { getInstanceName() }; - setError(req, - CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS", - params), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS", + params), ""); result = PolicyResult.REJECTED; break; } } } catch (Exception e) { - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; @@ -217,22 +215,22 @@ public class RenewalConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); confParams.addElement( - PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts); + PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts); confParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + - mRenewalNotAfter / DAYS_TO_MS_FACTOR); + mRenewalNotAfter / DAYS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java index 3d98f3c2e..b3f9298cb 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -36,30 +35,30 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * RenewalValidityConstraints is a default rule for Certificate * Renewal. This policy enforces the no of days before which a * currently active certificate can be renewed and sets new validity * period for the renewed certificate starting from the the ending * period in the old certificate. - * + * * The main parameters are: - * - * The renewal leadtime in days: - i.e how many days before the - * expiry of the current certificate can one request the renewal. - * min and max validity duration. + * + * The renewal leadtime in days: - i.e how many days before the + * expiry of the current certificate can one request the renewal. + * min and max validity duration. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class RenewalValidityConstraints extends APolicyRule - implements IRenewalPolicy, IExtendedPluginInfo { + implements IRenewalPolicy, IExtendedPluginInfo { private long mMinValidity; private long mMaxValidity; private long mRenewalInterval; @@ -78,11 +77,11 @@ public class RenewalValidityConstraints extends APolicyRule static { defConfParams.addElement(PROP_MIN_VALIDITY + "=" + - DEF_MIN_VALIDITY); + DEF_MIN_VALIDITY); defConfParams.addElement(PROP_MAX_VALIDITY + "=" + - DEF_MAX_VALIDITY); + DEF_MAX_VALIDITY); defConfParams.addElement(PROP_RENEWAL_INTERVAL + "=" + - DEF_RENEWAL_INTERVAL); + DEF_RENEWAL_INTERVAL); } public String[] getExtendedPluginInfo(Locale locale) { @@ -91,10 +90,10 @@ public class RenewalValidityConstraints extends APolicyRule PROP_MAX_VALIDITY + ";number;Specifies the maximum validity period, in days, for renewed certificates.", PROP_RENEWAL_INTERVAL + ";number;Specifies how many days before its expiration that a certificate can be renewed.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-renewalvalidityconstraints", + ";configuration-policyrules-renewalvalidityconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Reject renewal request if the certificate is too far " + - "before it's expiry date" + ";Reject renewal request if the certificate is too far " + + "before it's expiry date" }; return params; @@ -109,20 +108,15 @@ public class RenewalValidityConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minValidity=30 - * ra.Policy.rule.<ruleName>.maxValidity=180 - * ra.Policy.rule.<ruleName>.renewalInterval=15 - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.minValidity=30 ra.Policy.rule.<ruleName>.maxValidity=180 ra.Policy.rule.<ruleName>.renewalInterval=15 ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and onfigure them. try { @@ -148,7 +142,7 @@ public class RenewalValidityConstraints extends APolicyRule // minValidity can't be bigger than maxValidity. if (mMinValidity > mMaxValidity) { - String params[] = {getInstanceName(), + String params[] = { getInstanceName(), String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR), String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; @@ -158,7 +152,7 @@ public class RenewalValidityConstraints extends APolicyRule // Renewal interval can't be more than maxValidity. if (mRenewalInterval > mMaxValidity) { - String params[] = {getInstanceName(), + String params[] = { getInstanceName(), String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR), String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; @@ -167,7 +161,7 @@ public class RenewalValidityConstraints extends APolicyRule } } catch (Exception e) { // e.printStackTrace(); - String[] params = {getInstanceName(), e.toString()}; + String[] params = { getInstanceName(), e.toString() }; throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); @@ -177,8 +171,8 @@ public class RenewalValidityConstraints extends APolicyRule /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -191,15 +185,15 @@ public class RenewalValidityConstraints extends APolicyRule try { // Get the certificate info from the request X509CertInfo certInfo[] = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // Get the certificates being renwed. X509CertImpl currentCerts[] = - req.getExtDataInCertArray(IRequest.OLD_CERTS); + req.getExtDataInCertArray(IRequest.OLD_CERTS); // Both certificate info and current certs should be set if (certInfo == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", getInstanceName()), ""); return PolicyResult.REJECTED; } @@ -218,12 +212,12 @@ public class RenewalValidityConstraints extends APolicyRule // set the validity. for (int i = 0; i < certInfo.length; i++) { X509CertInfo oldCertInfo = (X509CertInfo) - currentCerts[i].get(X509CertImpl.NAME + - "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) - oldCertInfo.get(X509CertInfo.VALIDITY); + currentCerts[i].get(X509CertImpl.NAME + + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); Date notAfter = (Date) - oldValidity.get(CertificateValidity.NOT_AFTER); + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate still valid? Date now = CMS.getCurrentDate(); @@ -233,14 +227,14 @@ public class RenewalValidityConstraints extends APolicyRule long interval = notAfter.getTime() - now.getTime(); if (interval > mRenewalInterval) { - setError(req, - CMS.getUserMessage("CMS_POLICY_LONG_RENEWAL_LEAD_TIME", - getInstanceName(), - String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR)), ""); - setError(req, - CMS.getUserMessage("CMS_POLICY_EXISTING_CERT_DETAILS", - getInstanceName(), - getCertDetails(req, currentCerts[i])), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_LONG_RENEWAL_LEAD_TIME", + getInstanceName(), + String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR)), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_EXISTING_CERT_DETAILS", + getInstanceName(), + getCertDetails(req, currentCerts[i])), ""); result = PolicyResult.REJECTED; setDummyValidity(certInfo[i]); @@ -256,19 +250,19 @@ public class RenewalValidityConstraints extends APolicyRule // If the new notAfter is within renewal interval days from // today or already expired, set the notBefore to today. if (renewedNotAfter.before(now) || - (renewedNotAfter.getTime() - now.getTime()) <= - mRenewalInterval) { + (renewedNotAfter.getTime() - now.getTime()) <= + mRenewalInterval) { renewedNotBef = now; renewedNotAfter = new Date(now.getTime() + mMaxValidity); } CertificateValidity newValidity = - new CertificateValidity(renewedNotBef, renewedNotAfter); + new CertificateValidity(renewedNotBef, renewedNotAfter); certInfo[i].set(X509CertInfo.VALIDITY, newValidity); } } catch (Exception e) { - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; @@ -278,24 +272,24 @@ public class RenewalValidityConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); confParams.addElement(PROP_MIN_VALIDITY + "=" + - mMinValidity / DAYS_TO_MS_FACTOR); + mMinValidity / DAYS_TO_MS_FACTOR); confParams.addElement(PROP_MAX_VALIDITY + "=" + - mMaxValidity / DAYS_TO_MS_FACTOR); + mMaxValidity / DAYS_TO_MS_FACTOR); confParams.addElement(PROP_RENEWAL_INTERVAL + "=" + - mRenewalInterval / DAYS_TO_MS_FACTOR); + mRenewalInterval / DAYS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { @@ -306,7 +300,7 @@ public class RenewalValidityConstraints extends APolicyRule private void setDummyValidity(X509CertInfo certInfo) { try { certInfo.set(X509CertInfo.VALIDITY, - new CertificateValidity(CMS.getCurrentDate(), new Date())); + new CertificateValidity(CMS.getCurrentDate(), new Date())); } catch (Exception e) { } } @@ -317,8 +311,8 @@ public class RenewalValidityConstraints extends APolicyRule sb.append("\n"); sb.append("Serial No: " + cert.getSerialNumber().toString(16)); sb.append("\n"); - sb.append("Validity: " + cert.getNotBefore().toString() + - " - " + cert.getNotAfter().toString()); + sb.append("Validity: " + cert.getNotBefore().toString() + + " - " + cert.getNotAfter().toString()); sb.append("\n"); String certType = req.getExtDataInString(IRequest.CERT_TYPE); @@ -326,11 +320,12 @@ public class RenewalValidityConstraints extends APolicyRule certType = IRequest.SERVER_CERT; if (certType.equals(IRequest.CLIENT_CERT)) { - /*** Take this our - URL formulation hard to do here. - sb.append("Use the following url with your CA/RA gateway spec to download the certificate."); - sb.append("\n"); - sb.append("/query/certImport?op=displayByserial&serialNumber="); - sb.append(cert.getSerialNumber().toString(16)); + /*** + * Take this our - URL formulation hard to do here. + * sb.append("Use the following url with your CA/RA gateway spec to download the certificate."); + * sb.append("\n"); + * sb.append("/query/certImport?op=displayByserial&serialNumber="); + * sb.append(cert.getSerialNumber().toString(16)); ***/ sb.append("\n"); } else { diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java index 686529f4c..b18e4b7f9 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -38,20 +37,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Whether to allow revocation of an expired cert. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class RevocationConstraints extends APolicyRule - implements IRevocationPolicy, IExtendedPluginInfo { + implements IRevocationPolicy, IExtendedPluginInfo { private static final String PROP_ALLOW_EXPIRED_CERTS = "allowExpiredCerts"; private static final String PROP_ALLOW_ON_HOLD = "allowOnHold"; @@ -74,13 +73,13 @@ public class RevocationConstraints extends APolicyRule PROP_ALLOW_EXPIRED_CERTS + ";boolean;Allow a user to revoke an already-expired certificate", PROP_ALLOW_ON_HOLD + ";boolean;Allow a user to set reason to On-Hold", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-revocationconstraints", + ";configuration-policyrules-revocationconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Allow administrator to decide policy on whether to allow " + - "recovation of expired certificates" + - "and set reason to On-Hold" + ";Allow administrator to decide policy on whether to allow " + + "recovation of expired certificates" + + "and set reason to On-Hold" - }; + }; return params; @@ -89,20 +88,18 @@ public class RevocationConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.allowExpiredCerts=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.allowExpiredCerts=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and onfigure them. try { - mAllowExpiredCerts = + mAllowExpiredCerts = config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, true); mAllowOnHold = config.getBoolean(PROP_ALLOW_ON_HOLD, true); @@ -117,8 +114,8 @@ public class RevocationConstraints extends APolicyRule /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -138,35 +135,35 @@ public class RevocationConstraints extends APolicyRule setError(req, CMS.getUserMessage("CMS_POLICY_NO_ON_HOLD_ALLOWED", params), ""); return PolicyResult.REJECTED; - } + } } if (mAllowExpiredCerts) // nothing to check. return PolicyResult.ACCEPTED; - + PolicyResult result = PolicyResult.ACCEPTED; try { // Get the certificates being renwed. X509CertImpl[] oldCerts = - req.getExtDataInCertArray(IRequest.OLD_CERTS); + req.getExtDataInCertArray(IRequest.OLD_CERTS); if (oldCerts == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT"), - getInstanceName()); + getInstanceName()); return PolicyResult.REJECTED; } // check if each cert to be renewed is expired. for (int i = 0; i < oldCerts.length; i++) { X509CertInfo oldCertInfo = (X509CertInfo) - oldCerts[i].get( - X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) - oldCertInfo.get(X509CertInfo.VALIDITY); + oldCerts[i].get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); Date notAfter = (Date) - oldValidity.get(CertificateValidity.NOT_AFTER); + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate still valid? Date now = CMS.getCurrentDate(); @@ -174,16 +171,16 @@ public class RevocationConstraints extends APolicyRule if (notAfter.before(now)) { String params[] = { getInstanceName() }; - setError(req, - CMS.getUserMessage("CMS_POLICY_CANNOT_REVOKE_EXPIRED_CERTS", - params), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_CANNOT_REVOKE_EXPIRED_CERTS", + params), ""); result = PolicyResult.REJECTED; break; } } } catch (Exception e) { - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; @@ -193,22 +190,22 @@ public class RevocationConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); confParams.addElement( - PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts); + PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts); confParams.addElement( - PROP_ALLOW_ON_HOLD + "=" + mAllowOnHold); + PROP_ALLOW_ON_HOLD + "=" + mAllowOnHold); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java index 9d5192848..b8ffa86ea 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Locale; import java.util.StringTokenizer; import java.util.Vector; @@ -41,21 +40,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * SigningAlgorithmConstraints enforces that only a supported * signing algorithm be requested. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class SigningAlgorithmConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { private String[] mAllowedAlgs = null; // algs allowed by this policy static String[] mDefaultAllowedAlgs = null; // default algs allowed by this policy based on CA's key private String[] mConfigAlgs = null; // algs listed in config file @@ -94,17 +93,13 @@ public class SigningAlgorithmConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * - * The entries probably are of the form - * ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints - * ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * + * The entries probably are of the form ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mAuthority = (IAuthority) ((IPolicyProcessor) owner).getAuthority(); // Get allowed algorithms from config file @@ -114,7 +109,7 @@ public class SigningAlgorithmConstraints extends APolicyRule try { algNames = config.getString(PROP_ALGORITHMS, null); } catch (Exception e) { - String[] params = {getInstanceName(), e.toString(), PROP_ALGORITHMS}; + String[] params = { getInstanceName(), e.toString(), PROP_ALGORITHMS }; throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_PARAM_CONFIG_ERROR", params)); @@ -136,7 +131,7 @@ public class SigningAlgorithmConstraints extends APolicyRule for (int i = 0; i < itemCount; i++) { mAllowedAlgs[i] = (String) algs.elementAt(i); } - + } } @@ -149,8 +144,8 @@ public class SigningAlgorithmConstraints extends APolicyRule if (mAllowedAlgs != null) { // winnow out unknown algorithms - winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS, - "CMS_POLICY_UNKNOWN_SIGNING_ALG", true); + winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS, + "CMS_POLICY_UNKNOWN_SIGNING_ALG", true); } else { // if nothing was in the config file, allow all known algs mAllowedAlgs = AlgorithmId.ALL_SIGNING_ALGORITHMS; @@ -183,16 +178,16 @@ public class SigningAlgorithmConstraints extends APolicyRule // get list of algorithms allowed for the key String[] allowedByKey = - ((ICertAuthority) mAuthority).getCASigningAlgorithms(); + ((ICertAuthority) mAuthority).getCASigningAlgorithms(); if (allowedByKey != null) { // don't show algorithms that don't match CA's key in UI. mDefaultAllowedAlgs = new String[allowedByKey.length]; for (int i = 0; i < allowedByKey.length; i++) mDefaultAllowedAlgs[i] = allowedByKey[i]; - // winnow out algorithms that don't match CA's signing key + // winnow out algorithms that don't match CA's signing key winnowAlgs(allowedByKey, - "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1", false); + "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1", false); winnowedByKey = true; } else { // We don't know the CA's signing algorithms. Maybe we're @@ -203,14 +198,14 @@ public class SigningAlgorithmConstraints extends APolicyRule /** * Winnows out of mAllowedAlgorithms those algorithms that aren't allowed * for some reason. - * - * @param allowed An array of allowed algorithms. Only algorithms in this - * list will survive the winnowing process. + * + * @param allowed An array of allowed algorithms. Only algorithms in this + * list will survive the winnowing process. * @param reason A string describing the problem with an algorithm - * that is not allowed by this list. Must be a predefined string in PolicyResources. + * that is not allowed by this list. Must be a predefined string in PolicyResources. */ - private void winnowAlgs(String[] allowed, String reason, boolean isError) - throws EBaseException { + private void winnowAlgs(String[] allowed, String reason, boolean isError) + throws EBaseException { int i, j, goodSize; // validate the currently-allowed algorithms @@ -240,7 +235,7 @@ public class SigningAlgorithmConstraints extends APolicyRule // convert back into an array goodSize = goodAlgs.size(); if (mAllowedAlgs.length != goodSize) { - mAllowedAlgs = new String[ goodSize ]; + mAllowedAlgs = new String[goodSize]; for (i = 0; i < goodSize; i++) { mAllowedAlgs[i] = (String) goodAlgs.elementAt(i); } @@ -250,8 +245,8 @@ public class SigningAlgorithmConstraints extends APolicyRule /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -282,10 +277,10 @@ public class SigningAlgorithmConstraints extends APolicyRule } CertificateAlgorithmId certAlgId = (CertificateAlgorithmId) - certInfo[i].get(X509CertInfo.ALGORITHM_ID); + certInfo[i].get(X509CertInfo.ALGORITHM_ID); AlgorithmId algId = (AlgorithmId) - certAlgId.get(CertificateAlgorithmId.ALGORITHM); + certAlgId.get(CertificateAlgorithmId.ALGORITHM); String alg = algId.getName(); // test against the list of allowed algorithms @@ -298,10 +293,10 @@ public class SigningAlgorithmConstraints extends APolicyRule // if the algor doesn't match the CA's key replace // it with one that does. if (mAllowedAlgs[0].equals("SHA1withDSA") || - alg.equals("SHA1withDSA")) { + alg.equals("SHA1withDSA")) { certInfo[i].set(X509CertInfo.ALGORITHM_ID, - new CertificateAlgorithmId( - AlgorithmId.get(mAllowedAlgs[0]))); + new CertificateAlgorithmId( + AlgorithmId.get(mAllowedAlgs[0]))); return PolicyResult.ACCEPTED; } @@ -313,9 +308,9 @@ public class SigningAlgorithmConstraints extends APolicyRule } } catch (Exception e) { // e.printStackTrace(); - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } @@ -324,10 +319,10 @@ public class SigningAlgorithmConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector confParams = new Vector(); StringBuffer sb = new StringBuffer(); @@ -343,10 +338,10 @@ public class SigningAlgorithmConstraints extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { StringBuffer sb = new StringBuffer(); sb.append(PROP_ALGORITHMS); sb.append("="); @@ -365,14 +360,14 @@ public class SigningAlgorithmConstraints extends APolicyRule } defConfParams.addElement(sb.toString()); - return defConfParams; + return defConfParams; } public String[] getExtendedPluginInfo(Locale locale) { if (!winnowedByKey) { - try { - winnowByKey(); - } catch (Exception e) { + try { + winnowByKey(); + } catch (Exception e) { } } @@ -380,51 +375,51 @@ public class SigningAlgorithmConstraints extends APolicyRule String[] params_BOTH = { PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA," + - "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA,"+ - "MD2withRSA\\,MD5withRSA\\,SHA1withRSA," + - "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA," + - "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," + - "MD2withRSA\\,MD5withRSA\\,SHA1withDSA," + - "MD2withRSA\\,MD5withRSA," + - "MD2withRSA\\,SHA1withRSA," + - "MD2withRSA\\,SHA1withDSA," + - "MD5withRSA\\,SHA1withRSA," + - "MD5withRSA\\,SHA1withDSA," + - "SHA1withRSA\\,SHA1withDSA," + - "MD2withRSA," + - "MD5withRSA," + - "SHA1withRSA," + - "SHA1withDSA);List of algorithms to restrict the requested signing algorithm " + - "to be one of the algorithms supported by Certificate System", + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," + + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA," + + "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA," + + "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," + + "MD2withRSA\\,MD5withRSA\\,SHA1withDSA," + + "MD2withRSA\\,MD5withRSA," + + "MD2withRSA\\,SHA1withRSA," + + "MD2withRSA\\,SHA1withDSA," + + "MD5withRSA\\,SHA1withRSA," + + "MD5withRSA\\,SHA1withDSA," + + "SHA1withRSA\\,SHA1withDSA," + + "MD2withRSA," + + "MD5withRSA," + + "SHA1withRSA," + + "SHA1withDSA);List of algorithms to restrict the requested signing algorithm " + + "to be one of the algorithms supported by Certificate System", IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Restricts the requested signing algorithm to be one of" + - " the algorithms supported by Certificate System" + ";Restricts the requested signing algorithm to be one of" + + " the algorithms supported by Certificate System" }; String[] params_RSA = { PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA," + - "MD2withRSA\\,MD5withRSA," + - "MD2withRSA\\,SHA1withRSA," + - "MD5withRSA\\,SHA1withRSA," + - "MD2withRSA," + - "MD5withRSA," + - "SHA1withRSA);Restrict the requested signing algorithm to be " + - "one of the algorithms supported by Certificate System", + "MD2withRSA\\,MD5withRSA," + + "MD2withRSA\\,SHA1withRSA," + + "MD5withRSA\\,SHA1withRSA," + + "MD2withRSA," + + "MD5withRSA," + + "SHA1withRSA);Restrict the requested signing algorithm to be " + + "one of the algorithms supported by Certificate System", IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Restricts the requested signing algorithm to be one of" + - " the algorithms supported by Certificate System" + ";Restricts the requested signing algorithm to be one of" + + " the algorithms supported by Certificate System" }; String[] params_DSA = { PROP_ALGORITHMS + ";" + "choice(SHA1withDSA);Restrict the requested signing " + - "algorithm to be one of the algorithms supported by Certificate " + - "System", + "algorithm to be one of the algorithms supported by Certificate " + + "System", IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Restricts the requested signing algorithm to be one of" + - " the algorithms supported by Certificate System" + ";Restricts the requested signing algorithm to be one of" + + " the algorithms supported by Certificate System" }; switch (mDefaultAllowedAlgs.length) { @@ -447,4 +442,3 @@ public class SigningAlgorithmConstraints extends APolicyRule } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java index 8e8cd4a73..0cec678cd 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Locale; import java.util.Vector; @@ -41,16 +40,16 @@ import com.netscape.certsrv.request.PolicyResult; import com.netscape.certsrv.security.ISigningUnit; import com.netscape.cms.policy.APolicyRule; - /** * This simple policy checks the subordinate CA CSR to see * if it is the same as the local CA. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ @@ -66,32 +65,28 @@ public class SubCANameConstraints extends APolicyRule implements IEnrollmentPoli public String[] getExtendedPluginInfo(Locale locale) { String[] params = { IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-subcanamecheck", + ";configuration-policyrules-subcanamecheck", IExtendedPluginInfo.HELP_TEXT + - ";Checks if subordinate CA request matches the local CA. There are no parameters to change" + ";Checks if subordinate CA request matches the local CA. There are no parameters to change" }; return params; } - + /** * Initializes this policy rule. * <P> - * - * The entries probably are of the form - * ra.Policy.rule.<ruleName>.implName=KeyAlgorithmConstraints - * ra.Policy.rule.<ruleName>.algorithms=RSA,DSA - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * + * The entries probably are of the form ra.Policy.rule.<ruleName>.implName=KeyAlgorithmConstraints ra.Policy.rule.<ruleName>.algorithms=RSA,DSA ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // get CA's public key to create authority key id. - ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { // should never get here. @@ -106,7 +101,7 @@ public class SubCANameConstraints extends APolicyRule implements IEnrollmentPoli } mCA = (ICertificateAuthority) certAuthority; ISigningUnit su = mCA.getSigningUnit(); - if( su == null || CMS.isPreOpMode() ) { + if (su == null || CMS.isPreOpMode()) { return; } @@ -124,8 +119,8 @@ public class SubCANameConstraints extends APolicyRule implements IEnrollmentPoli /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -136,7 +131,7 @@ public class SubCANameConstraints extends APolicyRule implements IEnrollmentPoli // Get the certificate templates X509CertInfo[] certInfos = req.getExtDataInCertInfoArray( IRequest.CERT_INFO); - + if (certInfos == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_CERT_INFO", getInstanceName())); setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME + ":" + getInstanceName()), ""); @@ -163,7 +158,7 @@ public class SubCANameConstraints extends APolicyRule implements IEnrollmentPoli } } catch (Exception e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_SUBJECT_NAME_1", getInstanceName())); - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); @@ -174,24 +169,23 @@ public class SubCANameConstraints extends APolicyRule implements IEnrollmentPoli /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector v = new Vector(); return v; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector v = new Vector(); return v; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java b/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java index dc8ecd79d..9afbf7650 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java @@ -17,17 +17,15 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - - - /** * This class is used to help migrate CMS4.1 to CMS4.2. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java index 4e7cefe7e..f1df2bb5e 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.io.IOException; import java.util.Enumeration; import java.util.Locale; @@ -44,35 +43,35 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Checks the uniqueness of the subject name. This policy - * can only be used (installed) in Certificate Authority - * subsystem. - * + * can only be used (installed) in Certificate Authority + * subsystem. + * * This policy can perform pre-agent-approval checking or * post-agent-approval checking based on configuration * setting. - * + * * In some situations, user may want to have 2 certificates with - * the same subject name. For example, one key for encryption, - * and one for signing. This policy does not deal with this case + * the same subject name. For example, one key for encryption, + * and one for signing. This policy does not deal with this case * directly. But it can be easily extended to do that. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class UniqueSubjectNameConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { - protected static final String PROP_PRE_AGENT_APPROVAL_CHECKING = - "enablePreAgentApprovalChecking"; - protected static final String PROP_KEY_USAGE_EXTENSION_CHECKING = - "enableKeyUsageExtensionChecking"; +public class UniqueSubjectNameConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { + protected static final String PROP_PRE_AGENT_APPROVAL_CHECKING = + "enablePreAgentApprovalChecking"; + protected static final String PROP_KEY_USAGE_EXTENSION_CHECKING = + "enableKeyUsageExtensionChecking"; public ICertificateAuthority mCA = null; @@ -82,17 +81,17 @@ public class UniqueSubjectNameConstraints extends APolicyRule public UniqueSubjectNameConstraints() { NAME = "UniqueSubjectName"; DESC = "Ensure the uniqueness of the subject name."; - } + } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { PROP_PRE_AGENT_APPROVAL_CHECKING + ";boolean;If checked, check subject name uniqueness BEFORE agent approves, (else checks AFTER approval)", PROP_KEY_USAGE_EXTENSION_CHECKING + ";boolean;If checked, allow non-unique subject names if Key Usage Extension differs", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-uniquesubjectname", + ";configuration-policyrules-uniquesubjectname", IExtendedPluginInfo.HELP_TEXT + - ";Rejects a request if there exists an unrevoked, unexpired " + - "certificate with the same subject name" + ";Rejects a request if there exists an unrevoked, unexpired " + + "certificate with the same subject name" }; return params; @@ -102,22 +101,18 @@ public class UniqueSubjectNameConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ca.Policy.rule.<ruleName>.implName=UniqueSubjectName - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.enablePreAgentApprovalChecking=true - * ca.Policy.rule.<ruleName>.enableKeyUsageExtensionChecking=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=UniqueSubjectName ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>.enablePreAgentApprovalChecking=true ca.Policy.rule.<ruleName>.enableKeyUsageExtensionChecking=true + * + * @param config The config store reference */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { // get CA's public key to create authority key id. ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { // should never get here. @@ -131,12 +126,12 @@ public class UniqueSubjectNameConstraints extends APolicyRule mCA = (ICertificateAuthority) certAuthority; try { - mPreAgentApprovalChecking = + mPreAgentApprovalChecking = config.getBoolean(PROP_PRE_AGENT_APPROVAL_CHECKING, false); } catch (EBaseException e) { } try { - mKeyUsageExtensionChecking = + mKeyUsageExtensionChecking = config.getBoolean(PROP_KEY_USAGE_EXTENSION_CHECKING, true); } catch (EBaseException e) { } @@ -145,8 +140,8 @@ public class UniqueSubjectNameConstraints extends APolicyRule /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -162,9 +157,9 @@ public class UniqueSubjectNameConstraints extends APolicyRule // Get the certificate templates X509CertInfo[] certInfos = req.getExtDataInCertInfoArray( IRequest.CERT_INFO); - + if (certInfos == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", getInstanceName()), ""); return PolicyResult.REJECTED; } @@ -172,11 +167,11 @@ public class UniqueSubjectNameConstraints extends APolicyRule // retrieve the subject name and check its unqiueness for (int i = 0; i < certInfos.length; i++) { CertificateSubjectName subName = (CertificateSubjectName) - certInfos[i].get(X509CertInfo.SUBJECT); + certInfos[i].get(X509CertInfo.SUBJECT); // if there is no name set, set one here. if (subName == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUBJECT_NAME", + setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUBJECT_NAME", getInstanceName()), ""); return PolicyResult.REJECTED; } @@ -184,8 +179,8 @@ public class UniqueSubjectNameConstraints extends APolicyRule String filter = "x509Cert.subject=" + certSubjectName; // subject name is indexed, so we only use subject name // in the filter - Enumeration matched = - mCA.getCertificateRepository().findCertRecords(filter); + Enumeration matched = + mCA.getCertificateRepository().findCertRecords(filter); while (matched.hasMoreElements()) { ICertRecord rec = (ICertRecord) matched.nextElement(); @@ -195,7 +190,7 @@ public class UniqueSubjectNameConstraints extends APolicyRule // accept this only if we have a REVOKED, // EXPIRED or REVOKED_EXPIRED certificate continue; - + } // you already have an VALID or INVALID (not yet valid) certificate if (mKeyUsageExtensionChecking && agentApproved(req)) { @@ -210,15 +205,15 @@ public class UniqueSubjectNameConstraints extends APolicyRule } } - setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_NAME_EXIST", + setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_NAME_EXIST", getInstanceName() + " " + certSubjectName), ""); return PolicyResult.REJECTED; } } } catch (Exception e) { - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } @@ -229,8 +224,8 @@ public class UniqueSubjectNameConstraints extends APolicyRule * Checks if the key extension in the issued certificate * is the same as the one in the certificate template. */ - private boolean sameKeyUsageExtension(ICertRecord rec, - X509CertInfo certInfo) { + private boolean sameKeyUsageExtension(ICertRecord rec, + X509CertInfo certInfo) { X509CertImpl impl = rec.getCertificate(); boolean bits[] = impl.getKeyUsage(); @@ -282,25 +277,25 @@ public class UniqueSubjectNameConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); confParams.addElement(PROP_PRE_AGENT_APPROVAL_CHECKING + - "=" + mPreAgentApprovalChecking); + "=" + mPreAgentApprovalChecking); confParams.addElement(PROP_KEY_USAGE_EXTENSION_CHECKING + - "=" + mKeyUsageExtensionChecking); + "=" + mKeyUsageExtensionChecking); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_PRE_AGENT_APPROVAL_CHECKING + "="); diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java index 62c49450b..ef35f5e64 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -35,26 +34,26 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * ValidityConstraints is a default rule for Enrollment and * Renewal that enforces minimum and maximum validity periods * and changes them if not met. - * + * * Optionally the lead and lag times - i.e how far back into the * front or back the notBefore date could go in minutes can also * be specified. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class ValidityConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected long mMinValidity; protected long mMaxValidity; protected long mLeadTime; @@ -78,15 +77,15 @@ public class ValidityConstraints extends APolicyRule static { defConfParams.addElement(PROP_MIN_VALIDITY + "=" + - DEF_MIN_VALIDITY); + DEF_MIN_VALIDITY); defConfParams.addElement(PROP_MAX_VALIDITY + "=" + - DEF_MAX_VALIDITY); + DEF_MAX_VALIDITY); defConfParams.addElement(PROP_LEAD_TIME + "=" + - DEF_LEAD_TIME); + DEF_LEAD_TIME); defConfParams.addElement(PROP_LAG_TIME + "=" + - DEF_LAG_TIME); + DEF_LAG_TIME); defConfParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + - DEF_NOT_BEFORE_SKEW); + DEF_NOT_BEFORE_SKEW); } public String[] getExtendedPluginInfo(Locale locale) { @@ -97,11 +96,11 @@ public class ValidityConstraints extends APolicyRule PROP_LAG_TIME + ";number;NOT CURRENTLY IN USE", PROP_NOT_BEFORE_SKEW + ";number;Number of minutes a cert's notBefore should be in the past", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-validityconstraints", + ";configuration-policyrules-validityconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Ensures that the user's requested validity period is " + - "acceptable. If not specified, as is usually the case, " + - "this policy will set the validity. See RFC 2459." + ";Ensures that the user's requested validity period is " + + "acceptable. If not specified, as is usually the case, " + + "this policy will set the validity. See RFC 2459." }; return params; @@ -116,19 +115,15 @@ public class ValidityConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minValidity=30 - * ra.Policy.rule.<ruleName>.maxValidity=180 - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints ra.Policy.rule.<ruleName>.enable=true ra.Policy.rule.<ruleName>.minValidity=30 ra.Policy.rule.<ruleName>.maxValidity=180 ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and configure them. try { @@ -164,7 +159,7 @@ public class ValidityConstraints extends APolicyRule mNotBeforeSkew = DEF_NOT_BEFORE_SKEW * MINS_TO_MS_FACTOR; } catch (Exception e) { // e.printStackTrace(); - String[] params = {getInstanceName(), e.toString()}; + String[] params = { getInstanceName(), e.toString() }; throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); @@ -174,8 +169,8 @@ public class ValidityConstraints extends APolicyRule /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -198,7 +193,7 @@ public class ValidityConstraints extends APolicyRule // Else check if validity is within the limit for (int i = 0; i < certInfo.length; i++) { CertificateValidity validity = (CertificateValidity) - certInfo[i].get(X509CertInfo.VALIDITY); + certInfo[i].get(X509CertInfo.VALIDITY); Date notBefore = null, notAfter = null; @@ -215,9 +210,9 @@ public class ValidityConstraints extends APolicyRule // (date = 0 is hack for serialization) if (validity == null || - (notBefore.getTime() == 0 && notAfter.getTime() == 0)) { + (notBefore.getTime() == 0 && notAfter.getTime() == 0)) { certInfo[i].set(X509CertInfo.VALIDITY, - makeDefaultValidity(req)); + makeDefaultValidity(req)); continue; } @@ -228,22 +223,20 @@ public class ValidityConstraints extends APolicyRule getInstanceName()), ""); result = PolicyResult.REJECTED; } - if ((notAfter.getTime() - notBefore.getTime()) > - mMaxValidity) { - String params[] = {getInstanceName(), + if ((notAfter.getTime() - notBefore.getTime()) > mMaxValidity) { + String params[] = { getInstanceName(), String.valueOf( - ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)), - String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR)}; + ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)), + String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; setError(req, CMS.getUserMessage("CMS_POLICY_MORE_THAN_MAX_VALIDITY", params), ""); result = PolicyResult.REJECTED; } - if ((notAfter.getTime() - notBefore.getTime()) < - mMinValidity) { - String params[] = {getInstanceName(), + if ((notAfter.getTime() - notBefore.getTime()) < mMinValidity) { + String params[] = { getInstanceName(), String.valueOf( - ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)), - String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR)}; + ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)), + String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR) }; setError(req, CMS.getUserMessage("CMS_POLICY_LESS_THAN_MIN_VALIDITY", params), ""); result = PolicyResult.REJECTED; @@ -251,7 +244,7 @@ public class ValidityConstraints extends APolicyRule } } catch (Exception e) { // e.printStackTrace(); - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); @@ -262,28 +255,28 @@ public class ValidityConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); confParams.addElement(PROP_MIN_VALIDITY + "=" + - mMinValidity / DAYS_TO_MS_FACTOR); + mMinValidity / DAYS_TO_MS_FACTOR); confParams.addElement(PROP_MAX_VALIDITY + "=" + - mMaxValidity / DAYS_TO_MS_FACTOR); - confParams.addElement(PROP_LEAD_TIME + "=" - + mLeadTime / MINS_TO_MS_FACTOR); - confParams.addElement(PROP_LAG_TIME + "=" + - mLagTime / MINS_TO_MS_FACTOR); - confParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + - mNotBeforeSkew / MINS_TO_MS_FACTOR); + mMaxValidity / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_LEAD_TIME + "=" + + mLeadTime / MINS_TO_MS_FACTOR); + confParams.addElement(PROP_LAG_TIME + "=" + + mLagTime / MINS_TO_MS_FACTOR); + confParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + + mNotBeforeSkew / MINS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { @@ -292,10 +285,10 @@ public class ValidityConstraints extends APolicyRule /** * Create a default validity value for a request - * + * * This code can be easily overridden in a derived class, if the * calculations here aren't accepatble. - * + * * TODO: it might be good to base this calculation on the creation * time of the request. */ @@ -312,7 +305,7 @@ public class ValidityConstraints extends APolicyRule /** * convert a millisecond resolution time into one with 1 second - * resolution. Most times in certificates are storage at 1 + * resolution. Most times in certificates are storage at 1 * second resolution, so its better if we deal with things at * that level. */ @@ -320,4 +313,3 @@ public class ValidityConstraints extends APolicyRule return (input / 1000) * 1000; } } - |