diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java | 216 |
1 files changed, 0 insertions, 216 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java deleted file mode 100644 index a08bde78c..000000000 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java +++ /dev/null @@ -1,216 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.policy.constraints; - -import java.util.Locale; -import java.util.Vector; - -import netscape.security.x509.X500Name; -import netscape.security.x509.X509CertInfo; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.base.ISubsystem; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.policy.EPolicyException; -import com.netscape.certsrv.policy.IEnrollmentPolicy; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.request.PolicyResult; -import com.netscape.cms.policy.APolicyRule; - -/** - * IssuerConstraints is a rule for restricting the issuers of the - * certificates used for certificate-based enrollments. - * <P> - * - * <PRE> - * NOTE: The Policy Framework has been replaced by the Profile Framework. - * </PRE> - * <P> - * - * @deprecated - * @version $Revision$ $Date$ - */ -public class IssuerConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { - private final static String PROP_ISSUER_DN = "issuerDN"; - private static final String CLIENT_ISSUER = "clientIssuer"; - private X500Name mIssuerDN = null; - private String mIssuerDNString; - - /** - * checks the issuer of the ssl client-auth cert. Only one issuer - * is allowed for now - */ - public IssuerConstraints() { - NAME = "IssuerConstraints"; - DESC = "Checks to see if the Issuer is one allowed"; - } - - public String[] getExtendedPluginInfo(Locale locale) { - String[] params = { - PROP_ISSUER_DN - + ";string;Subject DN of the Issuer. The IssuerDN of the authenticating cert must match what's specified here", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-issuerconstraints", - IExtendedPluginInfo.HELP_TEXT + - ";Rejects the request if the issuer in the certificate is" + - "not of the one specified" - }; - - return params; - - } - - /** - * Initializes this policy rule. - * <P> - * - * @param config The config store reference - */ - public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { - try { - mIssuerDNString = config.getString(PROP_ISSUER_DN, null); - if ((mIssuerDNString != null) && - !mIssuerDNString.equals("")) { - mIssuerDN = new X500Name(mIssuerDNString); - } - } catch (Exception e) { - log(ILogger.LL_FAILURE, - NAME + CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); - - String[] params = { getInstanceName(), e.toString() }; - - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); - } - CMS.debug( - NAME + ": init() done"); - } - - /** - * Applies the policy on the given Request. - * <P> - * - * @param req The request on which to apply policy. - * @return The policy result object. - */ - public PolicyResult apply(IRequest req) { - PolicyResult result = PolicyResult.ACCEPTED; - - if (mIssuerDN == null) - return result; - - try { - String clientIssuerDN = req.getExtDataInString(CLIENT_ISSUER); - - if (clientIssuerDN != null) { - X500Name ci_name = new X500Name(clientIssuerDN); - - if (!ci_name.equals(mIssuerDN)) { - setError(req, - CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER", - getInstanceName()), ""); - result = PolicyResult.REJECTED; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); - CMS.debug( - NAME + ": apply() - issuerDN mismatch: client issuerDN = " + clientIssuerDN - + "; expected issuerDN = " + mIssuerDNString); - } - } else { - - // Get the certificate info from the request - X509CertInfo certInfo[] = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - - if (certInfo == null) { - log(ILogger.LL_FAILURE, - NAME + ": apply() - missing certInfo"); - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", - getInstanceName()), ""); - return PolicyResult.REJECTED; - } - - for (int i = 0; i < certInfo.length; i++) { - String oldIssuer = (String) - certInfo[i].get(X509CertInfo.ISSUER).toString(); - - if (oldIssuer == null) { - setError(req, - CMS.getUserMessage("CMS_POLICY_CLIENT_ISSUER_NOT_FOUND", - getInstanceName()), ""); - result = PolicyResult.REJECTED; - log(ILogger.LL_FAILURE, - NAME + ": apply() - client issuerDN not found"); - } - X500Name oi_name = new X500Name(oldIssuer); - - if (!oi_name.equals(mIssuerDN)) { - setError(req, - CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER", - getInstanceName()), ""); - result = PolicyResult.REJECTED; - log(ILogger.LL_FAILURE, - NAME + ": apply() - cert issuerDN mismatch: client issuerDN = " + oldIssuer - + "; expected issuerDN = " + mIssuerDNString); - } - } - } - } catch (Exception e) { - String params[] = { getInstanceName(), e.toString() }; - - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); - result = PolicyResult.REJECTED; - } - - if (result.equals(PolicyResult.ACCEPTED)) { - log(ILogger.LL_INFO, - NAME + ": apply() - accepted"); - } - return result; - } - - /** - * Return configured parameters for a policy rule instance. - * - * @return nvPairs A Vector of name/value pairs. - */ - public Vector<String> getInstanceParams() { - Vector<String> confParams = new Vector<String>(); - - confParams.addElement(PROP_ISSUER_DN + "=" + - mIssuerDNString); - return confParams; - } - - /** - * Return default parameters for a policy implementation. - * - * @return nvPairs A Vector of name/value pairs. - */ - public Vector<String> getDefaultParams() { - Vector<String> defParams = new Vector<String>(); - - defParams.addElement(PROP_ISSUER_DN + "="); - return defParams; - } - -} |