diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java')
-rw-r--r-- | base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java | 331 |
1 files changed, 331 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java b/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java new file mode 100644 index 000000000..62f0b21da --- /dev/null +++ b/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java @@ -0,0 +1,331 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.policy.extensions; + +import java.io.IOException; +import java.security.cert.CertificateException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.GeneralName; +import netscape.security.x509.GeneralNames; +import netscape.security.x509.SubjectAlternativeNameExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.IExtendedPluginInfo; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.policy.IEnrollmentPolicy; +import com.netscape.certsrv.policy.IGeneralNameUtil; +import com.netscape.certsrv.policy.IPolicyProcessor; +import com.netscape.certsrv.policy.ISubjAltNameConfig; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.PolicyResult; +import com.netscape.cms.policy.APolicyRule; + +/** + * Subject Alternative Name extension policy. + * + * Adds the subject alternative name extension as configured. + * + * Two forms are supported. 1) For S/MIME certificates, email + * addresses are copied from data stored in the request by the + * authentication component. Both 'e' and 'altEmail' are supported + * so that both the primary address and alternative forms may be + * certified. Only the primary goes in the subjectName position (which + * should be phased out). + * + * e + * mailAlternateAddress + * <P> + * + * <PRE> + * NOTE: The Policy Framework has been replaced by the Profile Framework. + * </PRE> + * <P> + * + * @deprecated + * @version $Revision$, $Date$ + */ +public class SubjectAltNameExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { + // (standard says SHOULD be marked critical if included.) + protected static final String PROP_CRITICAL = "critical"; + protected static final boolean DEF_CRITICAL = false; + + protected IConfigStore mConfig = null; + protected boolean mEnabled = false; + protected boolean mCritical = DEF_CRITICAL; + protected int mNumGNs = 0; + protected ISubjAltNameConfig[] mGNs = null; + + Vector<String> mInstanceParams = new Vector<String>(); + + // init default params and extended plugin info. + private static Vector<String> mDefParams = new Vector<String>(); + static { + // default params. + mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); + mDefParams.addElement( + IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + + IGeneralNameUtil.DEF_NUM_GENERALNAMES); + for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { + CMS.getSubjAltNameConfigDefaultParams( + IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); + } + } + + private String[] mExtendedPluginInfo = null; + + public SubjectAltNameExt() { + NAME = "SubjectAltNameExt"; + DESC = "Sets alternative subject names for certificates"; + } + + /** + * Initializes this policy rule. + * <P> + * + * The entries may be of the form: + * + * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference + */ + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + mConfig = config; + + // get criticality + mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); + + // get enabled + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); + + // get general names configuration. + mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); + if (mNumGNs <= 0) { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", + IGeneralNameUtil.PROP_NUM_GENERALNAMES)); + } + mGNs = new ISubjAltNameConfig[mNumGNs]; + for (int i = 0; i < mNumGNs; i++) { + String name = IGeneralNameUtil.PROP_GENERALNAME + i; + IConfigStore substore = mConfig.getSubStore(name); + + mGNs[i] = CMS.createSubjAltNameConfig(name, substore, mEnabled); + } + + // init instance params. + mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); + mInstanceParams.addElement( + IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + mNumGNs); + for (int j = 0; j < mGNs.length; j++) { + mGNs[j].getInstanceParams(mInstanceParams); + } + } + + /** + * Adds the subject alternative names extension if not set already. + * + * <P> + * + * @param req The request on which to apply policy. + * @return The policy result object. + */ + public PolicyResult apply(IRequest req) { + PolicyResult res = PolicyResult.ACCEPTED; + + // Find the X509CertInfo object in the request + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + + if (ci == null || ci[0] == null) { + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + + return PolicyResult.REJECTED; // unrecoverable error. + } + + for (int i = 0; i < ci.length; i++) { + PolicyResult certRes = applyCert(req, ci[i]); + + if (certRes == PolicyResult.REJECTED) + return certRes; + } + return res; + } + + public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { + PolicyResult res = PolicyResult.ACCEPTED; + + try { + // Find the extensions in the certInfo + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); + + // Remove any previously computed version of the extension + // unless it is from RA. If from RA, accept what RA put in + // request and don't add our own. + if (extensions != null) { + String sourceId = req.getSourceId(); + + if (sourceId != null && sourceId.length() > 0) + return res; // accepted + try { + extensions.delete(SubjectAlternativeNameExtension.NAME); + } catch (IOException e) { + // extension isn't there + } + } + + // form list of general names for the extension. + GeneralNames gns = new GeneralNames(); + + for (int i = 0; i < mNumGNs; i++) { + Object value = null; + + value = req.getExtDataInString(mGNs[i].getPfx(), mGNs[i].getAttr()); + if (value == null) { + continue; + } + Vector<GeneralName> gn = mGNs[i].formGeneralNames(value); + + if (gn.size() == 0) + continue; + for (Enumeration<GeneralName> n = gn.elements(); n.hasMoreElements();) { + gns.addElement(n.nextElement()); + } + } + + // nothing was found in request to put into extension + if (gns.size() == 0) + return res; // accepted + + String subject = certInfo.get(X509CertInfo.SUBJECT).toString(); + + boolean curCritical = mCritical; + + if (subject.equals("")) { + curCritical = true; + } + + // make the extension + SubjectAlternativeNameExtension sa = new SubjectAlternativeNameExtension(curCritical, gns); + + // add it to certInfo. + if (extensions == null) + extensions = createCertificateExtensions(certInfo); + + extensions.set(SubjectAlternativeNameExtension.NAME, sa); + + return res; // accepted. + + } catch (IOException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); + return PolicyResult.REJECTED; // unrecoverable error. + } catch (CertificateException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); + return PolicyResult.REJECTED; // unrecoverable error. + } catch (Exception e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Internal Error"); + return PolicyResult.REJECTED; // unrecoverable error. + } + } + + /** + * Create a new SET of extensions in the certificate info + * object. + * + * This should be a method in the X509CertInfo object + */ + protected CertificateExtensions + createCertificateExtensions(X509CertInfo certInfo) + throws IOException, CertificateException { + CertificateExtensions extensions; + + // Force version to V3 + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); + + extensions = new CertificateExtensions(); + certInfo.set(X509CertInfo.EXTENSIONS, extensions); + + return extensions; + } + + /** + * Return configured parameters for a policy rule instance. + * + * @return nvPairs A Vector of name/value pairs. + */ + public Vector<String> getInstanceParams() { + return mInstanceParams; + } + + /** + * Return default parameters for a policy implementation. + * + * @return nvPairs A Vector of name/value pairs. + */ + public Vector<String> getDefaultParams() { + return mDefParams; + } + + public String[] getExtendedPluginInfo(Locale locale) { + + // extended plugin info. + Vector<String> info = new Vector<String>(); + + info.addElement(PROP_CRITICAL + + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical."); + info.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES_INFO); + for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { + CMS.getSubjAltNameConfigExtendedPluginInfo( + IGeneralNameUtil.PROP_GENERALNAME + i, info); + } + info.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subjaltname"); + info.addElement(IExtendedPluginInfo.HELP_TEXT + + ";This policy inserts the Subject Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.7). " + + "* Note: you probably want to use this policy in " + + "conjunction with an authentication manager which sets " + + "the 'mail' or 'mailalternateaddress' values in the authToken. " + + "See the 'ldapStringAttrs' parameter in the Directory-based " + + "authentication plugin"); + mExtendedPluginInfo = new String[info.size()]; + info.copyInto(mExtendedPluginInfo); + return mExtendedPluginInfo; + } + +} |