summaryrefslogtreecommitdiffstats
path: root/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java
diff options
context:
space:
mode:
Diffstat (limited to 'base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java')
-rw-r--r--base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java331
1 files changed, 0 insertions, 331 deletions
diff --git a/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java b/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java
deleted file mode 100644
index 0d89d8876..000000000
--- a/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java
+++ /dev/null
@@ -1,331 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// This program is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; version 2 of the License.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-// (C) 2007 Red Hat, Inc.
-// All rights reserved.
-// --- END COPYRIGHT BLOCK ---
-package com.netscape.cms.policy.extensions;
-
-import java.io.IOException;
-import java.security.cert.CertificateException;
-import java.util.Enumeration;
-import java.util.Locale;
-import java.util.Vector;
-
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateVersion;
-import netscape.security.x509.GeneralName;
-import netscape.security.x509.GeneralNames;
-import netscape.security.x509.SubjectAlternativeNameExtension;
-import netscape.security.x509.X509CertInfo;
-
-import com.netscape.certsrv.apps.CMS;
-import com.netscape.certsrv.base.EBaseException;
-import com.netscape.certsrv.base.IConfigStore;
-import com.netscape.certsrv.base.IExtendedPluginInfo;
-import com.netscape.certsrv.base.ISubsystem;
-import com.netscape.certsrv.logging.ILogger;
-import com.netscape.certsrv.policy.IEnrollmentPolicy;
-import com.netscape.certsrv.policy.IGeneralNameUtil;
-import com.netscape.certsrv.policy.IPolicyProcessor;
-import com.netscape.certsrv.policy.ISubjAltNameConfig;
-import com.netscape.certsrv.request.IRequest;
-import com.netscape.certsrv.request.PolicyResult;
-import com.netscape.cms.policy.APolicyRule;
-
-/**
- * Subject Alternative Name extension policy.
- *
- * Adds the subject alternative name extension as configured.
- *
- * Two forms are supported. 1) For S/MIME certificates, email
- * addresses are copied from data stored in the request by the
- * authentication component. Both 'e' and 'altEmail' are supported
- * so that both the primary address and alternative forms may be
- * certified. Only the primary goes in the subjectName position (which
- * should be phased out).
- *
- * e
- * mailAlternateAddress
- * <P>
- *
- * <PRE>
- * NOTE: The Policy Framework has been replaced by the Profile Framework.
- * </PRE>
- * <P>
- *
- * @deprecated
- * @version $Revision$, $Date$
- */
-public class SubjectAltNameExt extends APolicyRule
- implements IEnrollmentPolicy, IExtendedPluginInfo {
- // (standard says SHOULD be marked critical if included.)
- protected static final String PROP_CRITICAL = "critical";
- protected static final boolean DEF_CRITICAL = false;
-
- protected IConfigStore mConfig = null;
- protected boolean mEnabled = false;
- protected boolean mCritical = DEF_CRITICAL;
- protected int mNumGNs = 0;
- protected ISubjAltNameConfig[] mGNs = null;
-
- Vector<String> mInstanceParams = new Vector<String>();
-
- // init default params and extended plugin info.
- private static Vector<String> mDefParams = new Vector<String>();
- static {
- // default params.
- mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
- mDefParams.addElement(
- IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" +
- IGeneralNameUtil.DEF_NUM_GENERALNAMES);
- for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) {
- CMS.getSubjAltNameConfigDefaultParams(
- IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams);
- }
- }
-
- private String[] mExtendedPluginInfo = null;
-
- public SubjectAltNameExt() {
- NAME = "SubjectAltNameExt";
- DESC = "Sets alternative subject names for certificates";
- }
-
- /**
- * Initializes this policy rule.
- * <P>
- *
- * The entries may be of the form:
- *
- * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt ra.Policy.rule.<ruleName>.enable=true
- *
- * @param config The config store reference
- */
- public void init(ISubsystem owner, IConfigStore config)
- throws EBaseException {
- mConfig = config;
-
- // get criticality
- mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL);
-
- // get enabled
- mEnabled = mConfig.getBoolean(
- IPolicyProcessor.PROP_ENABLE, false);
-
- // get general names configuration.
- mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES);
- if (mNumGNs <= 0) {
- throw new EBaseException(
- CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER",
- IGeneralNameUtil.PROP_NUM_GENERALNAMES));
- }
- mGNs = new ISubjAltNameConfig[mNumGNs];
- for (int i = 0; i < mNumGNs; i++) {
- String name = IGeneralNameUtil.PROP_GENERALNAME + i;
- IConfigStore substore = mConfig.getSubStore(name);
-
- mGNs[i] = CMS.createSubjAltNameConfig(name, substore, mEnabled);
- }
-
- // init instance params.
- mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
- mInstanceParams.addElement(
- IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + mNumGNs);
- for (int j = 0; j < mGNs.length; j++) {
- mGNs[j].getInstanceParams(mInstanceParams);
- }
- }
-
- /**
- * Adds the subject alternative names extension if not set already.
- *
- * <P>
- *
- * @param req The request on which to apply policy.
- * @return The policy result object.
- */
- public PolicyResult apply(IRequest req) {
- PolicyResult res = PolicyResult.ACCEPTED;
-
- // Find the X509CertInfo object in the request
- X509CertInfo[] ci =
- req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
-
- if (ci == null || ci[0] == null) {
- setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
-
- return PolicyResult.REJECTED; // unrecoverable error.
- }
-
- for (int i = 0; i < ci.length; i++) {
- PolicyResult certRes = applyCert(req, ci[i]);
-
- if (certRes == PolicyResult.REJECTED)
- return certRes;
- }
- return res;
- }
-
- public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
- PolicyResult res = PolicyResult.ACCEPTED;
-
- try {
- // Find the extensions in the certInfo
- CertificateExtensions extensions = (CertificateExtensions)
- certInfo.get(X509CertInfo.EXTENSIONS);
-
- // Remove any previously computed version of the extension
- // unless it is from RA. If from RA, accept what RA put in
- // request and don't add our own.
- if (extensions != null) {
- String sourceId = req.getSourceId();
-
- if (sourceId != null && sourceId.length() > 0)
- return res; // accepted
- try {
- extensions.delete(SubjectAlternativeNameExtension.NAME);
- } catch (IOException e) {
- // extension isn't there
- }
- }
-
- // form list of general names for the extension.
- GeneralNames gns = new GeneralNames();
-
- for (int i = 0; i < mNumGNs; i++) {
- Object value = null;
-
- value = req.getExtDataInString(mGNs[i].getPfx(), mGNs[i].getAttr());
- if (value == null) {
- continue;
- }
- Vector<GeneralName> gn = mGNs[i].formGeneralNames(value);
-
- if (gn.size() == 0)
- continue;
- for (Enumeration<GeneralName> n = gn.elements(); n.hasMoreElements();) {
- gns.addElement(n.nextElement());
- }
- }
-
- // nothing was found in request to put into extension
- if (gns.size() == 0)
- return res; // accepted
-
- String subject = certInfo.get(X509CertInfo.SUBJECT).toString();
-
- boolean curCritical = mCritical;
-
- if (subject.equals("")) {
- curCritical = true;
- }
-
- // make the extension
- SubjectAlternativeNameExtension sa = new SubjectAlternativeNameExtension(curCritical, gns);
-
- // add it to certInfo.
- if (extensions == null)
- extensions = createCertificateExtensions(certInfo);
-
- extensions.set(SubjectAlternativeNameExtension.NAME, sa);
-
- return res; // accepted.
-
- } catch (IOException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
- NAME, e.getMessage());
- return PolicyResult.REJECTED; // unrecoverable error.
- } catch (CertificateException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
- NAME, "Certificate Info Error");
- return PolicyResult.REJECTED; // unrecoverable error.
- } catch (Exception e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage()));
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
- NAME, "Internal Error");
- return PolicyResult.REJECTED; // unrecoverable error.
- }
- }
-
- /**
- * Create a new SET of extensions in the certificate info
- * object.
- *
- * This should be a method in the X509CertInfo object
- */
- protected CertificateExtensions
- createCertificateExtensions(X509CertInfo certInfo)
- throws IOException, CertificateException {
- CertificateExtensions extensions;
-
- // Force version to V3
- certInfo.set(X509CertInfo.VERSION,
- new CertificateVersion(CertificateVersion.V3));
-
- extensions = new CertificateExtensions();
- certInfo.set(X509CertInfo.EXTENSIONS, extensions);
-
- return extensions;
- }
-
- /**
- * Return configured parameters for a policy rule instance.
- *
- * @return nvPairs A Vector of name/value pairs.
- */
- public Vector<String> getInstanceParams() {
- return mInstanceParams;
- }
-
- /**
- * Return default parameters for a policy implementation.
- *
- * @return nvPairs A Vector of name/value pairs.
- */
- public Vector<String> getDefaultParams() {
- return mDefParams;
- }
-
- public String[] getExtendedPluginInfo(Locale locale) {
-
- // extended plugin info.
- Vector<String> info = new Vector<String>();
-
- info.addElement(PROP_CRITICAL
- + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical.");
- info.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES_INFO);
- for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) {
- CMS.getSubjAltNameConfigExtendedPluginInfo(
- IGeneralNameUtil.PROP_GENERALNAME + i, info);
- }
- info.addElement(IExtendedPluginInfo.HELP_TOKEN +
- ";configuration-policyrules-subjaltname");
- info.addElement(IExtendedPluginInfo.HELP_TEXT +
- ";This policy inserts the Subject Alternative Name " +
- "Extension into the certificate. See RFC 2459 (4.2.1.7). " +
- "* Note: you probably want to use this policy in " +
- "conjunction with an authentication manager which sets " +
- "the 'mail' or 'mailalternateaddress' values in the authToken. " +
- "See the 'ldapStringAttrs' parameter in the Directory-based " +
- "authentication plugin");
- mExtendedPluginInfo = new String[info.size()];
- info.copyInto(mExtendedPluginInfo);
- return mExtendedPluginInfo;
- }
-
-}
generated by cgit (git 2.34.1) at 2024-07-04 12:52:15 +0000