diff options
| author | Andrew Wnuk <awnuk@redhat.com> | 2012-02-15 11:03:50 -0800 |
|---|---|---|
| committer | Andrew Wnuk <awnuk@redhat.com> | 2012-02-15 11:03:50 -0800 |
| commit | 43a2559b7512eabbfe1e4bc0faa613d94142271d (patch) | |
| tree | 335e5bc97853cae859cc530fbd9d7c3946d11e3e /pki/base | |
| parent | a6285f70f57eee49dce0cdac8decafc2ba08ba6c (diff) | |
| download | pki-43a2559b7512eabbfe1e4bc0faa613d94142271d.tar.gz pki-43a2559b7512eabbfe1e4bc0faa613d94142271d.tar.xz pki-43a2559b7512eabbfe1e4bc0faa613d94142271d.zip | |
ECC encryption and signing profiles
This patch provides an option for certificate profiles to allow them to automatically create enrollment pages which are used to generate new signing and encryption certificate requests.
Bug: 703608.
Diffstat (limited to 'pki/base')
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java | 187 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java | 187 |
2 files changed, 374 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java b/pki/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java new file mode 100644 index 000000000..4fb7ae863 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java @@ -0,0 +1,187 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + + +import java.security.cert.*; +import java.io.*; +import java.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.apps.*; + +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.crmf.*; +import org.mozilla.jss.pkix.cmc.*; +import org.mozilla.jss.pkcs10.*; + +import netscape.security.x509.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; + +import com.netscape.cms.profile.common.*; + + +/** + * This class implements the key generation input that + * populates parameters to the enrollment page for + * key generation. + * <p> + * + * This input normally is used with user-based or + * non certificate request profile. + * <p> + * + * @version $Revision$, $Date$ + */ +public class EncryptionKeyGenInput extends EnrollInput implements IProfileInput { + + public static final String VAL_KEYGEN_REQUEST_TYPE = + EnrollProfile.CTX_CERT_REQUEST_TYPE; + public static final String VAL_KEYGEN_REQUEST = + EnrollProfile.CTX_CERT_REQUEST; + + public EnrollProfile mEnrollProfile = null; + + public EncryptionKeyGenInput() { + addValueName(VAL_KEYGEN_REQUEST_TYPE); + addValueName(VAL_KEYGEN_REQUEST); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_ENC_KEY_GEN_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_ENC_KEY_GEN_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE); + String keygen_request = ctx.get(VAL_KEYGEN_REQUEST); + + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (keygen_request_type == null) { + CMS.debug("EncryptionKeyGenInput: populate - invalid cert request type " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + "")); + } + if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_PKCS10)) { + PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request); + + if (pkcs10 == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) { + DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request); + + if (keygen == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) { + CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + for (int x = 0; x < msgs.length; x++) { + verifyPOP(getLocale(request), msgs[x]); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) { + TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + if (seqNum == null) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_SEQ_NUM")); + } + + mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request); + } else { + // error + CMS.debug("EncryptionKeyGenInput: populate - " + + "invalid cert request type " + keygen_request_type); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + keygen_request_type)); + } + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) { + return new Descriptor(IDescriptor.ENC_KEYGEN_REQUEST_TYPE, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE")); + } else if (name.equals(VAL_KEYGEN_REQUEST)) { + return new Descriptor(IDescriptor.ENC_KEYGEN_REQUEST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ")); + } + return null; + } +} diff --git a/pki/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java b/pki/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java new file mode 100644 index 000000000..93aaa11b9 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java @@ -0,0 +1,187 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + + +import java.security.cert.*; +import java.io.*; +import java.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.apps.*; + +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkix.crmf.*; +import org.mozilla.jss.pkix.cmc.*; +import org.mozilla.jss.pkcs10.*; + +import netscape.security.x509.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; + +import com.netscape.cms.profile.common.*; + + +/** + * This class implements the key generation input that + * populates parameters to the enrollment page for + * key generation. + * <p> + * + * This input normally is used with user-based or + * non certificate request profile. + * <p> + * + * @version $Revision$, $Date$ + */ +public class SigningKeyGenInput extends EnrollInput implements IProfileInput { + + public static final String VAL_KEYGEN_REQUEST_TYPE = + EnrollProfile.CTX_CERT_REQUEST_TYPE; + public static final String VAL_KEYGEN_REQUEST = + EnrollProfile.CTX_CERT_REQUEST; + + public EnrollProfile mEnrollProfile = null; + + public SigningKeyGenInput() { + addValueName(VAL_KEYGEN_REQUEST_TYPE); + addValueName(VAL_KEYGEN_REQUEST); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SIGN_KEY_GEN_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SIGN_KEY_GEN_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE); + String keygen_request = ctx.get(VAL_KEYGEN_REQUEST); + + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (keygen_request_type == null) { + CMS.debug("SigningKeyGenInput: populate - invalid cert request type " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + "")); + } + if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_PKCS10)) { + PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request); + + if (pkcs10 == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) { + DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request); + + if (keygen == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) { + CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + for (int x = 0; x < msgs.length; x++) { + verifyPOP(getLocale(request), msgs[x]); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) { + TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + if (seqNum == null) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_SEQ_NUM")); + } + + mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request); + } else { + // error + CMS.debug("SigningKeyGenInput: populate - " + + "invalid cert request type " + keygen_request_type); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + keygen_request_type)); + } + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) { + return new Descriptor(IDescriptor.SIGN_KEYGEN_REQUEST_TYPE, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE")); + } else if (name.equals(VAL_KEYGEN_REQUEST)) { + return new Descriptor(IDescriptor.SIGN_KEYGEN_REQUEST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ")); + } + return null; + } +} |