diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java')
-rw-r--r-- | base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java | 243 |
1 files changed, 243 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java new file mode 100644 index 000000000..843360542 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java @@ -0,0 +1,243 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Locale; + +import netscape.security.extensions.NSCertTypeExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.NSCertTypeExtDefault; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.UserExtensionDefault; + +/** + * This class implements the Netscape certificate type extension constraint. + * It checks if the Netscape certificate type extension in the certificate + * template satisfies the criteria. + * + * @version $Revision$, $Date$ + */ +public class NSCertTypeExtConstraint extends EnrollConstraint { + + public static final String CONFIG_CRITICAL = "nsCertCritical"; + public static final String CONFIG_SSL_CLIENT = "nsCertSSLClient"; + public static final String CONFIG_SSL_SERVER = "nsCertSSLServer"; + public static final String CONFIG_EMAIL = "nsCertEmail"; + public static final String CONFIG_OBJECT_SIGNING = "nsCertObjectSigning"; + public static final String CONFIG_SSL_CA = "nsCertSSLCA"; + public static final String CONFIG_EMAIL_CA = "nsCertEmailCA"; + public static final String CONFIG_OBJECT_SIGNING_CA = "nsCertObjectSigningCA"; + + public NSCertTypeExtConstraint() { + super(); + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_SSL_CLIENT); + addConfigName(CONFIG_SSL_SERVER); + addConfigName(CONFIG_EMAIL); + addConfigName(CONFIG_OBJECT_SIGNING); + addConfigName(CONFIG_SSL_CA); + addConfigName(CONFIG_EMAIL_CA); + addConfigName(CONFIG_OBJECT_SIGNING_CA); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_SSL_CLIENT)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT")); + } else if (name.equals(CONFIG_SSL_SERVER)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER")); + } else if (name.equals(CONFIG_EMAIL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL")); + } else if (name.equals(CONFIG_OBJECT_SIGNING)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING")); + } else if (name.equals(CONFIG_SSL_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA")); + } else if (name.equals(CONFIG_EMAIL_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA")); + } else if (name.equals(CONFIG_OBJECT_SIGNING_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, + "CMS_PROFILE_OBJECT_SIGNING_CA")); + } + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + NSCertTypeExtension ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + + if (ext == null) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + NSCertTypeExtension.CertType_Id.toString())); + } + + String value = getConfig(CONFIG_CRITICAL); + + if (!isOptional(value)) { + boolean critical = getBoolean(value); + + if (critical != ext.isCritical()) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + } + } + value = getConfig(CONFIG_SSL_CLIENT); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(0)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SSL_CLIENT_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_SSL_SERVER); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(1)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SSL_SERVER_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_EMAIL); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(2)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EMAIL_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_OBJECT_SIGNING); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(3)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_OBJECT_SIGNING_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_SSL_CA); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(4)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SSL_CA_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_EMAIL_CA); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(5)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EMAIL_CA_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_OBJECT_SIGNING_CA); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(6)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_OBJECT_SIGNING_CA_NOT_MATCHED", + value)); + } + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_SSL_CLIENT), + getConfig(CONFIG_SSL_SERVER), + getConfig(CONFIG_EMAIL), + getConfig(CONFIG_OBJECT_SIGNING), + getConfig(CONFIG_SSL_CA), + getConfig(CONFIG_EMAIL_CA), + getConfig(CONFIG_OBJECT_SIGNING_CA) + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_NS_CERT_EXT_TEXT", params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof NSCertTypeExtDefault) + return true; + if (def instanceof UserExtensionDefault) + return true; + return false; + } +} |