diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/ocsp/LDAPStore.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/ocsp/LDAPStore.java | 257 |
1 files changed, 129 insertions, 128 deletions
diff --git a/pki/base/common/src/com/netscape/cms/ocsp/LDAPStore.java b/pki/base/common/src/com/netscape/cms/ocsp/LDAPStore.java index 88ac8c45e..5e4e65661 100644 --- a/pki/base/common/src/com/netscape/cms/ocsp/LDAPStore.java +++ b/pki/base/common/src/com/netscape/cms/ocsp/LDAPStore.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.ocsp; + import java.math.BigInteger; import java.security.MessageDigest; import java.security.cert.X509CRL; @@ -70,10 +71,11 @@ import com.netscape.cmsutil.ocsp.SingleResponse; import com.netscape.cmsutil.ocsp.TBSRequest; import com.netscape.cmsutil.ocsp.UnknownInfo; + /** - * This is the LDAP OCSP store. It reads CA certificate and revocation list - * attributes from the CA entry. - * + * This is the LDAP OCSP store. It reads CA certificate and + * revocation list attributes from the CA entry. + * * @version $Revision$, $Date$ */ public class LDAPStore implements IDefStore, IExtendedPluginInfo { @@ -91,7 +93,8 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { private static final String PROP_PORT = "port"; private final static String PROP_NOT_FOUND_GOOD = "notFoundAsGood"; - private final static String PROP_INCLUDE_NEXT_UPDATE = "includeNextUpdate"; + private final static String PROP_INCLUDE_NEXT_UPDATE = + "includeNextUpdate"; private IOCSPAuthority mOCSPAuthority = null; private IConfigStore mConfig = null; @@ -108,59 +111,44 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { public LDAPStore() { } - public String[] getExtendedPluginInfo(Locale locale) { - Vector v = new Vector(); - - v.addElement(PROP_NOT_FOUND_GOOD - + ";boolean; " - + CMS.getUserMessage(locale, - "CMS_OCSP_LDAPSTORE_PROP_NOT_FOUND_GOOD")); - v.addElement(PROP_INCLUDE_NEXT_UPDATE - + ";boolean; " - + CMS.getUserMessage(locale, - "CMS_OCSP_LDAPSTORE_PROP_INCLUDE_NEXT_UPDATE")); - v.addElement(PROP_NUM_CONNS - + ";number; " - + CMS.getUserMessage(locale, - "CMS_OCSP_LDAPSTORE_PROP_NUM_CONNS")); - v.addElement(PROP_BY_NAME + ";boolean; " - + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_BY_NAME")); - v.addElement(PROP_CRL_ATTR - + ";string; " - + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_CRL_ATTR")); - v.addElement(PROP_CA_CERT_ATTR - + ";string; " - + CMS.getUserMessage(locale, - "CMS_OCSP_LDAPSTORE_PROP_CA_CERT_ATTR")); - v.addElement(IExtendedPluginInfo.HELP_TEXT + "; " - + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_DESC")); - v.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-ocspstores-ldapstore"); - return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); + public String[] getExtendedPluginInfo(Locale locale) { + Vector v = new Vector(); + + v.addElement(PROP_NOT_FOUND_GOOD + ";boolean; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_NOT_FOUND_GOOD")); + v.addElement(PROP_INCLUDE_NEXT_UPDATE + ";boolean; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_INCLUDE_NEXT_UPDATE")); + v.addElement(PROP_NUM_CONNS + ";number; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_NUM_CONNS")); + v.addElement(PROP_BY_NAME + ";boolean; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_BY_NAME")); + v.addElement(PROP_CRL_ATTR + ";string; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_CRL_ATTR")); + v.addElement(PROP_CA_CERT_ATTR + ";string; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_PROP_CA_CERT_ATTR")); + v.addElement(IExtendedPluginInfo.HELP_TEXT + "; " + CMS.getUserMessage(locale, "CMS_OCSP_LDAPSTORE_DESC")); + v.addElement(IExtendedPluginInfo.HELP_TOKEN + ";configuration-ocspstores-ldapstore"); + return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } /** * Fetch CA certificate and CRL from LDAP server. */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { mOCSPAuthority = (IOCSPAuthority) owner; mConfig = config; mCRLAttr = mConfig.getString(PROP_CRL_ATTR, DEF_CRL_ATTR); - mCACertAttr = mConfig.getString(PROP_CA_CERT_ATTR, DEF_CA_CERT_ATTR); + mCACertAttr = mConfig.getString(PROP_CA_CERT_ATTR, + DEF_CA_CERT_ATTR); mByName = mConfig.getBoolean(PROP_BY_NAME, true); - + } /** * Locates the CA certificate. */ - public X509CertImpl locateCACert(LDAPConnection conn, String baseDN) - throws EBaseException { + public X509CertImpl locateCACert(LDAPConnection conn, String baseDN) + throws EBaseException { try { - LDAPSearchResults results = conn.search(baseDN, LDAPv2.SCOPE_SUB, - mCACertAttr + "=*", null, false); + LDAPSearchResults results = conn.search(baseDN, + LDAPv2.SCOPE_SUB, mCACertAttr + "=*", + null, false); if (!results.hasMoreElements()) { throw new EBaseException("error - no entry"); @@ -178,8 +166,8 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { return caCert; } catch (Exception e) { CMS.debug("LDAPStore: locateCACert " + e.toString()); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("OCSP_LOCATE_CA", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OCSP_LOCATE_CA", e.toString())); } return null; } @@ -187,11 +175,12 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { /** * Locates the CRL. */ - public X509CRLImpl locateCRL(LDAPConnection conn, String baseDN) - throws EBaseException { + public X509CRLImpl locateCRL(LDAPConnection conn, String baseDN) + throws EBaseException { try { - LDAPSearchResults results = conn.search(baseDN, LDAPv2.SCOPE_SUB, - mCRLAttr + "=*", null, false); + LDAPSearchResults results = conn.search(baseDN, + LDAPv2.SCOPE_SUB, mCRLAttr + "=*", + null, false); if (!results.hasMoreElements()) { throw new EBaseException("error - no entry"); @@ -209,26 +198,25 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { return crl; } catch (Exception e) { CMS.debug("LDAPStore: locateCRL " + e.toString()); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("OCSP_LOCATE_CRL", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OCSP_LOCATE_CRL", e.toString())); } return null; } - public void updateCRLHash(X509CertImpl caCert, X509CRLImpl crl) - throws EBaseException { + public void updateCRLHash(X509CertImpl caCert, X509CRLImpl crl) + throws EBaseException { X509CRLImpl oldCRL = (X509CRLImpl) mCRLs.get(caCert); if (oldCRL != null) { - if (oldCRL.getThisUpdate().getTime() >= crl.getThisUpdate() - .getTime()) { - log(ILogger.LL_INFO, - "LDAPStore: no update, received CRL is older than current CRL"); + if (oldCRL.getThisUpdate().getTime() >= + crl.getThisUpdate().getTime()) { + log(ILogger.LL_INFO, + "LDAPStore: no update, received CRL is older than current CRL"); return; // no update } } - CMS.debug("Added '" + caCert.getSubjectDN().toString() - + "' into CRL hash"); + CMS.debug("Added '" + caCert.getSubjectDN().toString() + "' into CRL hash"); mCRLs.put(caCert, crl); } @@ -240,8 +228,7 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { int num = mConfig.getInteger(PROP_NUM_CONNS, 0); for (int i = 0; i < num; i++) { - String host = mConfig.getString(PROP_HOST + Integer.toString(i), - null); + String host = mConfig.getString(PROP_HOST + Integer.toString(i), null); int port = mConfig.getInteger(PROP_PORT + Integer.toString(i), 0); LDAPConnection c = new LDAPConnection(); @@ -250,12 +237,11 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { } catch (LDAPException e) { throw new EBaseException("LDAP " + e); } - String baseDN = mConfig.getString( - PROP_BASE_DN + Integer.toString(i), null); - CRLUpdater updater = new CRLUpdater(this, c, baseDN, - mConfig.getInteger( - PROP_REFRESH_IN_SEC + Integer.toString(i), - DEF_REFRESH_IN_SEC)); + String baseDN = mConfig.getString(PROP_BASE_DN + Integer.toString(i), null); + CRLUpdater updater = new CRLUpdater( + this, c, baseDN, + mConfig.getInteger(PROP_REFRESH_IN_SEC + Integer.toString(i), + DEF_REFRESH_IN_SEC)); updater.start(); } @@ -279,9 +265,10 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { /** * Validate an OCSP request. */ - public OCSPResponse validate(OCSPRequest request) throws EBaseException { + public OCSPResponse validate(OCSPRequest request) + throws EBaseException { - IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); mOCSPAuthority.incNumOCSPRequest(1); long startTime = CMS.getCurrentDate().getTime(); @@ -292,12 +279,13 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { Vector singleResponses = new Vector(); if (statsSub != null) { - statsSub.startTiming("lookup"); + statsSub.startTiming("lookup"); } long lookupStartTime = CMS.getCurrentDate().getTime(); for (int i = 0; i < tbsReq.getRequestCount(); i++) { - com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(i); + com.netscape.cmsutil.ocsp.Request req = + tbsReq.getRequestAt(i); CertID cid = req.getCertID(); SingleResponse sr = processRequest(cid); @@ -305,12 +293,12 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { } long lookupEndTime = CMS.getCurrentDate().getTime(); if (statsSub != null) { - statsSub.endTiming("lookup"); + statsSub.endTiming("lookup"); } mOCSPAuthority.incLookupTime(lookupEndTime - lookupStartTime); if (statsSub != null) { - statsSub.startTiming("build_response"); + statsSub.startTiming("build_response"); } SingleResponse res[] = new SingleResponse[singleResponses.size()]; @@ -335,14 +323,14 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { } } - ResponseData rd = new ResponseData(rid, new GeneralizedTime( - CMS.getCurrentDate()), res, nonce); + ResponseData rd = new ResponseData(rid, + new GeneralizedTime(CMS.getCurrentDate()), res, nonce); if (statsSub != null) { - statsSub.endTiming("build_response"); + statsSub.endTiming("build_response"); } if (statsSub != null) { - statsSub.startTiming("signing"); + statsSub.startTiming("signing"); } long signStartTime = CMS.getCurrentDate().getTime(); @@ -350,13 +338,13 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { long signEndTime = CMS.getCurrentDate().getTime(); mOCSPAuthority.incSignTime(signEndTime - signStartTime); if (statsSub != null) { - statsSub.endTiming("signing"); + statsSub.endTiming("signing"); } OCSPResponse response = new OCSPResponse( - OCSPResponseStatus.SUCCESSFUL, new ResponseBytes( - ResponseBytes.OCSP_BASIC, new OCTET_STRING( - ASN1Util.encode(basicRes)))); + OCSPResponseStatus.SUCCESSFUL, + new ResponseBytes(ResponseBytes.OCSP_BASIC, + new OCTET_STRING(ASN1Util.encode(basicRes)))); log(ILogger.LL_INFO, "done OCSP request"); long endTime = CMS.getCurrentDate().getTime(); @@ -364,8 +352,7 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { return response; } catch (Exception e) { CMS.debug("LDAPStore: validation " + e.toString()); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString())); return null; } } @@ -388,7 +375,8 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { } public void addRepository(String name, String thisUpdate, - IRepositoryRecord rec) throws EBaseException { + IRepositoryRecord rec) + throws EBaseException { throw new EBaseException("NOT SUPPORTED"); } @@ -401,12 +389,12 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { } public ICRLIssuingPointRecord readCRLIssuingPoint(String name) - throws EBaseException { + throws EBaseException { throw new EBaseException("NOT SUPPORTED"); } public Enumeration searchAllCRLIssuingPointRecord(int maxSize) - throws EBaseException { + throws EBaseException { Vector recs = new Vector(); Enumeration keys = mCRLs.keys(); @@ -419,23 +407,26 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { return recs.elements(); } - public Enumeration searchCRLIssuingPointRecord(String filter, int maxSize) - throws EBaseException { + public Enumeration searchCRLIssuingPointRecord(String filter, + int maxSize) + throws EBaseException { return null; } - public ICRLIssuingPointRecord createCRLIssuingPointRecord(String name, - BigInteger crlNumber, Long crlSize, Date thisUpdate, Date nextUpdate) { + public ICRLIssuingPointRecord createCRLIssuingPointRecord( + String name, BigInteger crlNumber, + Long crlSize, Date thisUpdate, Date nextUpdate) { return null; } public void addCRLIssuingPoint(String name, ICRLIssuingPointRecord rec) - throws EBaseException { + throws EBaseException { throw new EBaseException("NOT SUPPORTED"); } - public void deleteCRLIssuingPointRecord(String id) throws EBaseException { - throw new EBaseException("NOT SUPPORTED"); + public void deleteCRLIssuingPointRecord(String id) + throws EBaseException { + throw new EBaseException("NOT SUPPORTED"); } public boolean isNotFoundGood() { @@ -448,7 +439,7 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { public boolean includeNextUpdate() throws EBaseException { return mConfig.getBoolean(PROP_INCLUDE_NEXT_UPDATE, false); - } + } public boolean isNotFoundGood1() throws EBaseException { return mConfig.getBoolean(PROP_NOT_FOUND_GOOD, true); @@ -473,13 +464,13 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { MessageDigest md = null; try { - md = MessageDigest.getInstance(mOCSPAuthority.getDigestName(cid - .getHashAlgorithm())); + md = MessageDigest.getInstance( + mOCSPAuthority.getDigestName(cid.getHashAlgorithm())); } catch (Exception e) { } X509Key key = (X509Key) caCert.getPublicKey(); - if (key == null) { + if( key == null ) { System.out.println("LDAPStore::processRequest - key is null!"); return null; } @@ -503,70 +494,77 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { return null; } - GeneralizedTime thisUpdate = new GeneralizedTime(theCRL.getThisUpdate()); + GeneralizedTime thisUpdate = new GeneralizedTime( + theCRL.getThisUpdate()); GeneralizedTime nextUpdate = null; if (includeNextUpdate()) { - nextUpdate = new GeneralizedTime(theCRL.getNextUpdate()); + nextUpdate = new GeneralizedTime( + theCRL.getNextUpdate()); } CertStatus certStatus = null; - X509CRLEntry entry = theCRL - .getRevokedCertificate(cid.getSerialNumber()); + X509CRLEntry entry = theCRL.getRevokedCertificate( + cid.getSerialNumber()); if (entry == null) { - if (isNotFoundGood1()) { - certStatus = new GoodInfo(); - } else { - certStatus = new UnknownInfo(); + if (isNotFoundGood1()) { + certStatus = new GoodInfo(); + } else { + certStatus = new UnknownInfo(); } } else { certStatus = new RevokedInfo(new GeneralizedTime( - entry.getRevocationDate())); + entry.getRevocationDate())); } - + return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); } /** * Provides configuration parameters. */ - public NameValuePairs getConfigParameters() { + public NameValuePairs getConfigParameters() { try { - NameValuePairs params = new NameValuePairs(); + NameValuePairs params = new NameValuePairs(); - params.add(Constants.PR_OCSPSTORE_IMPL_NAME, - mConfig.getString("class")); + params.add(Constants.PR_OCSPSTORE_IMPL_NAME, + mConfig.getString("class")); int num = mConfig.getInteger(PROP_NUM_CONNS, 0); params.add(PROP_NUM_CONNS, Integer.toString(num)); for (int i = 0; i < num; i++) { - params.add(PROP_HOST + Integer.toString(i), - mConfig.getString(PROP_HOST + Integer.toString(i), "")); - params.add(PROP_PORT + Integer.toString(i), mConfig.getString( - PROP_PORT + Integer.toString(i), "389")); - params.add(PROP_BASE_DN + Integer.toString(i), mConfig - .getString(PROP_BASE_DN + Integer.toString(i), "")); - params.add(PROP_REFRESH_IN_SEC + Integer.toString(i), mConfig - .getString(PROP_REFRESH_IN_SEC + Integer.toString(i), - Integer.toString(DEF_REFRESH_IN_SEC))); + params.add(PROP_HOST + Integer.toString(i), + mConfig.getString(PROP_HOST + + Integer.toString(i), "")); + params.add(PROP_PORT + Integer.toString(i), + mConfig.getString(PROP_PORT + + Integer.toString(i), "389")); + params.add(PROP_BASE_DN + Integer.toString(i), + mConfig.getString(PROP_BASE_DN + + Integer.toString(i), "")); + params.add(PROP_REFRESH_IN_SEC + Integer.toString(i), + mConfig.getString(PROP_REFRESH_IN_SEC + + Integer.toString(i), Integer.toString(DEF_REFRESH_IN_SEC))); } - params.add(PROP_BY_NAME, mConfig.getString(PROP_BY_NAME, "true")); - params.add(PROP_CA_CERT_ATTR, - mConfig.getString(PROP_CA_CERT_ATTR, DEF_CA_CERT_ATTR)); + params.add(PROP_BY_NAME, + mConfig.getString(PROP_BY_NAME, "true")); + params.add(PROP_CA_CERT_ATTR, + mConfig.getString(PROP_CA_CERT_ATTR, DEF_CA_CERT_ATTR)); params.add(PROP_CRL_ATTR, - mConfig.getString(PROP_CRL_ATTR, DEF_CRL_ATTR)); + mConfig.getString(PROP_CRL_ATTR, DEF_CRL_ATTR)); params.add(PROP_NOT_FOUND_GOOD, - mConfig.getString(PROP_NOT_FOUND_GOOD, "true")); + mConfig.getString(PROP_NOT_FOUND_GOOD, "true")); params.add(PROP_INCLUDE_NEXT_UPDATE, - mConfig.getString(PROP_INCLUDE_NEXT_UPDATE, "false")); + mConfig.getString(PROP_INCLUDE_NEXT_UPDATE, "false")); return params; } catch (Exception e) { return null; } } - public void setConfigParameters(NameValuePairs pairs) throws EBaseException { + public void setConfigParameters(NameValuePairs pairs) + throws EBaseException { Enumeration k = pairs.getNames(); while (k.hasMoreElements()) { @@ -577,13 +575,15 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo { } } + class CRLUpdater extends Thread { private LDAPConnection mC = null; private String mBaseDN = null; private int mSec = 0; private LDAPStore mStore = null; - public CRLUpdater(LDAPStore store, LDAPConnection c, String baseDN, int sec) { + public CRLUpdater(LDAPStore store, LDAPConnection c, + String baseDN, int sec) { mC = c; mSec = sec; mBaseDN = baseDN; @@ -608,6 +608,7 @@ class CRLUpdater extends Thread { } } + class TempCRLIssuingPointRecord implements ICRLIssuingPointRecord { /** * @@ -738,7 +739,7 @@ class TempCRLIssuingPointRecord implements ICRLIssuingPointRecord { return null; } - public void set(String name, Object obj) throws EBaseException { + public void set(String name, Object obj)throws EBaseException { } public Object get(String name) throws EBaseException { @@ -746,7 +747,7 @@ class TempCRLIssuingPointRecord implements ICRLIssuingPointRecord { } public void delete(String name) throws EBaseException { - + } public Enumeration getElements() { |