diff options
author | Ade Lee <alee@redhat.com> | 2011-12-08 21:15:59 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2011-12-08 21:15:59 -0500 |
commit | 171aaece4f23709d33d180cf36eb3af5e454b0c9 (patch) | |
tree | 1485f9f0a7bd10de4ff25030db575dbb8dafae74 /pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java | |
parent | adad2fcee8a29fdb82376fbce07dedb11fccc182 (diff) | |
download | pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.gz pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.xz pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.zip |
Revert "Formatting"
This reverts commit 32150d3ee32f8ac27118af7c792794b538c78a2f.
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java | 371 |
1 files changed, 197 insertions, 174 deletions
diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java index f02a5c7c8..b47e2230d 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; + import java.util.Enumeration; import java.util.Locale; @@ -42,52 +43,57 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.cms.profile.def.NoDefault; /** - * This constraint is to check for publickey uniqueness. The config param - * "allowSameKeyRenewal" enables the situation where if the publickey is not - * unique, and if the subject DN is the same, that is a "renewal". - * - * Another "feature" that is quoted out of this code is the "revokeDupKeyCert" - * option, which enables the revocation of certs that bear the same publickey as - * the enrolling request. Since this can potentially be abused, it is taken out - * and preserved in comments to allow future refinement. - * + * This constraint is to check for publickey uniqueness. + * The config param "allowSameKeyRenewal" enables the + * situation where if the publickey is not unique, and if + * the subject DN is the same, that is a "renewal". + * + * Another "feature" that is quoted out of this code is the + * "revokeDupKeyCert" option, which enables the revocation + * of certs that bear the same publickey as the enrolling + * request. Since this can potentially be abused, it is taken + * out and preserved in comments to allow future refinement. + * * @version $Revision$, $Date$ */ public class UniqueKeyConstraint extends EnrollConstraint { - /* - * public static final String CONFIG_REVOKE_DUPKEY_CERT = - * "revokeDupKeyCert"; boolean mRevokeDupKeyCert = false; - */ - public static final String CONFIG_ALLOW_SAME_KEY_RENEWAL = "allowSameKeyRenewal"; - boolean mAllowSameKeyRenewal = false; + /* + public static final String CONFIG_REVOKE_DUPKEY_CERT = + "revokeDupKeyCert"; + boolean mRevokeDupKeyCert = false; + */ + public static final String CONFIG_ALLOW_SAME_KEY_RENEWAL = + "allowSameKeyRenewal"; + boolean mAllowSameKeyRenewal = false; public ICertificateAuthority mCA = null; - public UniqueKeyConstraint() { - super(); - /* - * addConfigName(CONFIG_REVOKE_DUPKEY_CERT); - */ - addConfigName(CONFIG_ALLOW_SAME_KEY_RENEWAL); - } + public UniqueKeyConstraint() { + super(); + /* + addConfigName(CONFIG_REVOKE_DUPKEY_CERT); + */ + addConfigName(CONFIG_ALLOW_SAME_KEY_RENEWAL); + } - public void init(IProfile profile, IConfigStore config) - throws EProfileException { + public void init(IProfile profile, IConfigStore config) + throws EProfileException { super.init(profile, config); - mCA = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + mCA = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); } - public IDescriptor getConfigDescriptor(Locale locale, String name) { - /* - * if (name.equals(CONFIG_REVOKE_DUPKEY_CERT)) { return new - * Descriptor(IDescriptor.BOOLEAN, null, "false", - * CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_REVOKE_DUPKEY_CERT")); - * } - */ - if (name.equals(CONFIG_ALLOW_SAME_KEY_RENEWAL)) { - return new Descriptor(IDescriptor.BOOLEAN, null, "false", - CMS.getUserMessage(locale, - "CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL")); - } + public IDescriptor getConfigDescriptor(Locale locale, String name) + { + /* + if (name.equals(CONFIG_REVOKE_DUPKEY_CERT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_REVOKE_DUPKEY_CERT")); + } + */ + if (name.equals(CONFIG_ALLOW_SAME_KEY_RENEWAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL")); + } return null; } @@ -96,156 +102,173 @@ public class UniqueKeyConstraint extends EnrollConstraint { } /** - * Validates the request. The request is not modified during the validation. + * Validates the request. The request is not modified + * during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { - boolean rejected = false; - int size = 0; - ICertRecordList list; + throws ERejectException { + boolean rejected = false; + int size = 0; + ICertRecordList list; - /* - * mRevokeDupKeyCert = getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT); - */ - mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL); + /* + mRevokeDupKeyCert = + getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT); + */ + mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL); try { - CertificateX509Key infokey = (CertificateX509Key) info - .get(X509CertInfo.KEY); - X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); - - // check for key uniqueness - byte pub[] = key.getEncoded(); - String pub_s = escapeBinaryData(pub); - String filter = "(" + ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA - + "=" + pub_s + ")"; - list = (ICertRecordList) mCA.getCertificateRepository() - .findCertRecordsInList(filter, null, 10); - size = list.getSize(); + CertificateX509Key infokey = (CertificateX509Key) + info.get(X509CertInfo.KEY); + X509Key key = (X509Key) + infokey.get(CertificateX509Key.KEY); + + // check for key uniqueness + byte pub[] = key.getEncoded(); + String pub_s = escapeBinaryData(pub); + String filter = "(" + ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA +"=" + pub_s + ")"; + list = + (ICertRecordList) + mCA.getCertificateRepository().findCertRecordsInList(filter, null, 10); + size = list.getSize(); } catch (Exception e) { - throw new ERejectException(CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_INTERNAL_ERROR", e.toString())); - } + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_INTERNAL_ERROR",e.toString())); + } - /* - * It does not matter if the corresponding cert's status is valid or - * not, we don't want a key that was once generated before - */ - if (size > 0) { - CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key."); - - /* - * The following code revokes the existing certs that have the same - * public key as the one submitted for enrollment request. However, - * it is not a good idea due to possible abuse. It is therefore - * commented out. It is still however still maintained for possible - * utilization at later time - * - * // if configured to revoke duplicated key // revoke cert if - * (mRevokeDupKeyCert) { try { Enumeration e = - * list.getCertRecords(0, size-1); while (e != null && - * e.hasMoreElements()) { ICertRecord rec = (ICertRecord) - * e.nextElement(); X509CertImpl cert = rec.getCertificate(); - * - * // revoke the cert BigInteger serialNum = cert.getSerialNumber(); - * ICAService service = (ICAService) mCA.getCAService(); - * - * RevokedCertImpl crlEntry = formCRLEntry(serialNum, - * RevocationReason.KEY_COMPROMISE); service.revokeCert(crlEntry); - * CMS.debug( - * "UniqueKeyConstraint: certificate with duplicate publickey revoked successfully" - * ); } } catch (Exception ex) { - * CMS.debug("UniqueKeyConstraint: error in revoke dupkey cert"); } - * } // revoke dupkey cert turned on - */ - - if (mAllowSameKeyRenewal == true) { - X500Name sjname_in_db = null; - X500Name sjname_in_req = null; - - try { - // get subject of request - CertificateSubjectName subName = (CertificateSubjectName) info - .get(X509CertInfo.SUBJECT); - - if (subName != null) { - - sjname_in_req = (X500Name) subName - .get(CertificateSubjectName.DN_NAME); - CMS.debug("UniqueKeyConstraint: cert request subject DN =" - + sjname_in_req.toString()); - Enumeration e = list.getCertRecords(0, size - 1); - while (e != null && e.hasMoreElements()) { - ICertRecord rec = (ICertRecord) e.nextElement(); - X509CertImpl cert = rec.getCertificate(); - String certDN = cert.getSubjectDN().toString(); - CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN =" - + certDN); - - sjname_in_db = new X500Name(certDN); - - if (sjname_in_db.equals(sjname_in_req) == false) { - rejected = true; - break; - } else { - rejected = false; - } - } // while - } else { // subName is null - rejected = true; - } - } catch (Exception ex1) { - CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: " - + ex1.toString()); - rejected = true; - } // try - - } else { - rejected = true; - }// allowSameKeyRenewal - } // (size > 0) - - if (rejected == true) { - CMS.debug("UniqueKeyConstraint: rejected"); - throw new ERejectException(CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_DUPLICATE_KEY")); - } else { - CMS.debug("UniqueKeyConstraint: approved"); - } + /* + * It does not matter if the corresponding cert's status + * is valid or not, we don't want a key that was once + * generated before + */ + if (size > 0) { + CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key."); + + /* + The following code revokes the existing certs that have + the same public key as the one submitted for enrollment + request. However, it is not a good idea due to possible + abuse. It is therefore commented out. It is still + however still maintained for possible utilization at later + time + + // if configured to revoke duplicated key + // revoke cert + if (mRevokeDupKeyCert) { + try { + Enumeration e = list.getCertRecords(0, size-1); + while (e != null && e.hasMoreElements()) { + ICertRecord rec = (ICertRecord) e.nextElement(); + X509CertImpl cert = rec.getCertificate(); + + // revoke the cert + BigInteger serialNum = cert.getSerialNumber(); + ICAService service = (ICAService) mCA.getCAService(); + + RevokedCertImpl crlEntry = + formCRLEntry(serialNum, RevocationReason.KEY_COMPROMISE); + service.revokeCert(crlEntry); + CMS.debug("UniqueKeyConstraint: certificate with duplicate publickey revoked successfully"); + } + } catch (Exception ex) { + CMS.debug("UniqueKeyConstraint: error in revoke dupkey cert"); + } + } // revoke dupkey cert turned on + */ + + if (mAllowSameKeyRenewal == true) { + X500Name sjname_in_db = null; + X500Name sjname_in_req = null; + + try { + // get subject of request + CertificateSubjectName subName = + (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); + + if (subName != null) { + + sjname_in_req = + (X500Name) subName.get(CertificateSubjectName.DN_NAME); + CMS.debug("UniqueKeyConstraint: cert request subject DN ="+ sjname_in_req.toString()); + Enumeration e = list.getCertRecords(0, size-1); + while (e != null && e.hasMoreElements()) { + ICertRecord rec = (ICertRecord) e.nextElement(); + X509CertImpl cert = rec.getCertificate(); + String certDN = + cert.getSubjectDN().toString(); + CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN ="+ certDN); + + sjname_in_db = new X500Name(certDN); + + if (sjname_in_db.equals(sjname_in_req) == false) { + rejected = true; + break; + } else { + rejected = false; + } + } // while + } else { //subName is null + rejected = true; + } + } catch (Exception ex1) { + CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: "+ex1.toString()); + rejected = true; + } // try + + } else { + rejected = true; + }// allowSameKeyRenewal + } // (size > 0) + + if (rejected == true) { + CMS.debug("UniqueKeyConstraint: rejected"); + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_DUPLICATE_KEY")); + } else { + CMS.debug("UniqueKeyConstraint: approved"); + } } - /** + /** * make a CRL entry from a serial number and revocation reason. - * * @return a RevokedCertImpl that can be entered in a CRL. - * - * protected RevokedCertImpl formCRLEntry( BigInteger serialNo, - * RevocationReason reason) throws EBaseException { - * CRLReasonExtension reasonExt = new CRLReasonExtension(reason); - * CRLExtensions crlentryexts = new CRLExtensions(); - * - * try { crlentryexts.set(CRLReasonExtension.NAME, reasonExt); } - * catch (IOException e) { - * CMS.debug("CMSGW_ERR_CRL_REASON "+e.toString()); - * - * // throw new ECMSGWException( // - * CMS.getLogMessage("CMSGW_ERROR_SETTING_CRLREASON")); - * - * } RevokedCertImpl crlentry = new RevokedCertImpl(serialNo, - * CMS.getCurrentDate(), crlentryexts); - * - * return crlentry; } - */ + + protected RevokedCertImpl formCRLEntry( + BigInteger serialNo, RevocationReason reason) + throws EBaseException { + CRLReasonExtension reasonExt = new CRLReasonExtension(reason); + CRLExtensions crlentryexts = new CRLExtensions(); + + try { + crlentryexts.set(CRLReasonExtension.NAME, reasonExt); + } catch (IOException e) { + CMS.debug("CMSGW_ERR_CRL_REASON "+e.toString()); + + // throw new ECMSGWException( + // CMS.getLogMessage("CMSGW_ERROR_SETTING_CRLREASON")); + + } + RevokedCertImpl crlentry = + new RevokedCertImpl(serialNo, CMS.getCurrentDate(), + crlentryexts); + + return crlentry; + } + */ public String getText(Locale locale) { String params[] = { - /* - * getConfig(CONFIG_REVOKE_DUPKEY_CERT), - */ - }; +/* + getConfig(CONFIG_REVOKE_DUPKEY_CERT), +*/ + }; - return CMS.getUserMessage(locale, + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_ALLOW_SAME_KEY_RENEWAL_TEXT", params); } @@ -262,12 +285,12 @@ public class UniqueKeyConstraint extends EnrollConstraint { } public boolean isApplicable(IPolicyDefault def) { - if (def instanceof NoDefault) - return true; + if (def instanceof NoDefault) + return true; if (def instanceof UniqueKeyConstraint) return true; - return false; + return false; } } |