diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java | 266 |
1 files changed, 134 insertions, 132 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java index b641d91ed..25af72982 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -43,57 +42,45 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** - * Authority Information Access extension policy. - * If this policy is enabled, it adds an authority - * information access extension to the certificate. - * + * Authority Information Access extension policy. If this policy is enabled, it + * adds an authority information access extension to the certificate. + * * The following listed sample configuration parameters: * - * ca.Policy.impl.AuthInfoAccess.class=com.netscape.certsrv.policy.AuthInfoAccessExt + * ca.Policy.impl.AuthInfoAccess.class=com.netscape.certsrv.policy. + * AuthInfoAccessExt * ca.Policy.rule.aia.ad0_location=uriName:http://ocsp1.netscape.com - * ca.Policy.rule.aia.ad0_method=ocsp - * ca.Policy.rule.aia.ad1_location_type=URI + * ca.Policy.rule.aia.ad0_method=ocsp ca.Policy.rule.aia.ad1_location_type=URI * ca.Policy.rule.aia.ad1_location=http://ocsp2.netscape.com - * ca.Policy.rule.aia.ad1_method=ocsp - * ca.Policy.rule.aia.ad2_location= - * ca.Policy.rule.aia.ad2_method= - * ca.Policy.rule.aia.ad3_location= - * ca.Policy.rule.aia.ad3_method= - * ca.Policy.rule.aia.ad4_location= - * ca.Policy.rule.aia.ad4_method= - * ca.Policy.rule.aia.critical=true - * ca.Policy.rule.aia.enable=true - * ca.Policy.rule.aia.implName=AuthInfoAccess + * ca.Policy.rule.aia.ad1_method=ocsp ca.Policy.rule.aia.ad2_location= + * ca.Policy.rule.aia.ad2_method= ca.Policy.rule.aia.ad3_location= + * ca.Policy.rule.aia.ad3_method= ca.Policy.rule.aia.ad4_location= + * ca.Policy.rule.aia.ad4_method= ca.Policy.rule.aia.critical=true + * ca.Policy.rule.aia.enable=true ca.Policy.rule.aia.implName=AuthInfoAccess * ca.Policy.rule.aia.predicate= - * - * Currently, this policy only supports the following location: - * uriName:[URI], dirName:[DN] + * + * Currently, this policy only supports the following location: uriName:[URI], + * dirName:[DN] * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class AuthInfoAccessExt extends APolicyRule implements +public class AuthInfoAccessExt extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { - protected static final String PROP_CRITICAL = - "critical"; - protected static final String PROP_AD = - "ad"; - protected static final String PROP_METHOD = - "method"; - protected static final String PROP_LOCATION = - "location"; - protected static final String PROP_LOCATION_TYPE = - "location_type"; - - protected static final String PROP_NUM_ADS = - "numADs"; + protected static final String PROP_CRITICAL = "critical"; + protected static final String PROP_AD = "ad"; + protected static final String PROP_METHOD = "method"; + protected static final String PROP_LOCATION = "location"; + protected static final String PROP_LOCATION_TYPE = "location_type"; + + protected static final String PROP_NUM_ADS = "numADs"; public static final int MAX_AD = 5; @@ -107,19 +94,28 @@ public class AuthInfoAccessExt extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { Vector v = new Vector(); - v.addElement(PROP_CRITICAL + - ";boolean;RFC 2459 recommendation: This extension MUST be non-critical."); - v.addElement(PROP_NUM_ADS + - ";number;The total number of access descriptions."); - v.addElement(IExtendedPluginInfo.HELP_TEXT + - ";Adds Authority Info Access Extension. Defined in RFC 2459 " + "(4.2.2.1)"); - v.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-authinfoaccess"); + v.addElement(PROP_CRITICAL + + ";boolean;RFC 2459 recommendation: This extension MUST be non-critical."); + v.addElement(PROP_NUM_ADS + + ";number;The total number of access descriptions."); + v.addElement(IExtendedPluginInfo.HELP_TEXT + + ";Adds Authority Info Access Extension. Defined in RFC 2459 " + + "(4.2.2.1)"); + v.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-authinfoaccess"); for (int i = 0; i < MAX_AD; i++) { - v.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_METHOD + ";string;" + "A unique,valid OID specified in dot-separated numeric component notation. e.g. 1.3.6.1.5.5.7.48.1 (ocsp), 1.3.6.1.5.5.7.48.2 (caIssuers), 2.16.840.1.113730.1.16.1 (renewal)"); - v.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_LOCATION_TYPE + ";" + IGeneralNameUtil.GENNAME_CHOICE_INFO); - v.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_LOCATION + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO); + v.addElement(PROP_AD + + Integer.toString(i) + + "_" + + PROP_METHOD + + ";string;" + + "A unique,valid OID specified in dot-separated numeric component notation. e.g. 1.3.6.1.5.5.7.48.1 (ocsp), 1.3.6.1.5.5.7.48.2 (caIssuers), 2.16.840.1.113730.1.16.1 (renewal)"); + v.addElement(PROP_AD + Integer.toString(i) + "_" + + PROP_LOCATION_TYPE + ";" + + IGeneralNameUtil.GENNAME_CHOICE_INFO); + v.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_LOCATION + + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO); } return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } @@ -127,17 +123,17 @@ public class AuthInfoAccessExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.predicate= - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt + * ca.Policy.rule.<ruleName>.enable=true + * ca.Policy.rule.<ruleName>.predicate= + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; } @@ -152,8 +148,8 @@ public class AuthInfoAccessExt extends APolicyRule implements // for (int i = 0;; i++) { ObjectIdentifier methodOID = null; - String method = mConfig.getString(PROP_AD + - Integer.toString(i) + "_" + PROP_METHOD, null); + String method = mConfig.getString(PROP_AD + Integer.toString(i) + + "_" + PROP_METHOD, null); if (method == null) break; @@ -161,23 +157,27 @@ public class AuthInfoAccessExt extends APolicyRule implements if (method.equals("")) break; - // - // method ::= ocsp | caIssuers | <OID> - // OID ::= [object identifier] - // + // + // method ::= ocsp | caIssuers | <OID> + // OID ::= [object identifier] + // try { if (method.equalsIgnoreCase("ocsp")) { - methodOID = ObjectIdentifier.getObjectIdentifier("1.3.6.1.5.5.7.48.1"); + methodOID = ObjectIdentifier + .getObjectIdentifier("1.3.6.1.5.5.7.48.1"); } else if (method.equalsIgnoreCase("caIssuers")) { - methodOID = ObjectIdentifier.getObjectIdentifier("1.3.6.1.5.5.7.48.2"); + methodOID = ObjectIdentifier + .getObjectIdentifier("1.3.6.1.5.5.7.48.2"); } else if (method.equalsIgnoreCase("renewal")) { - methodOID = ObjectIdentifier.getObjectIdentifier("2.16.840.1.113730.1.16.1"); + methodOID = ObjectIdentifier + .getObjectIdentifier("2.16.840.1.113730.1.16.1"); } else { // it could be an object identifier, test it methodOID = ObjectIdentifier.getObjectIdentifier(method); } } catch (IOException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NAME_CAN_NOT_BE_RESOLVED", method)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_ATTRIBUTE_NAME_CAN_NOT_BE_RESOLVED", method)); } // @@ -185,17 +185,16 @@ public class AuthInfoAccessExt extends APolicyRule implements // TAG ::= uriName | dirName // VALUE ::= [value defined by TAG] // - String location_type = mConfig.getString(PROP_AD + - Integer.toString(i) + - "_" + PROP_LOCATION_TYPE, null); - String location = mConfig.getString(PROP_AD + - Integer.toString(i) + - "_" + PROP_LOCATION, null); + String location_type = mConfig.getString( + PROP_AD + Integer.toString(i) + "_" + PROP_LOCATION_TYPE, + null); + String location = mConfig.getString(PROP_AD + Integer.toString(i) + + "_" + PROP_LOCATION, null); if (location == null) break; GeneralName gn = CMS.form_GeneralName(location_type, location); - Vector e = new Vector(); + Vector e = new Vector(); e.addElement(methodOID); e.addElement(gn); @@ -205,10 +204,10 @@ public class AuthInfoAccessExt extends APolicyRule implements } /** - * If this policy is enabled, add the authority information - * access extension to the certificate. + * If this policy is enabled, add the authority information access extension + * to the certificate. * <P> - * + * * @param req The request on which to apply policy. * @return The policy result object. */ @@ -216,11 +215,11 @@ public class AuthInfoAccessExt extends APolicyRule implements PolicyResult res = PolicyResult.ACCEPTED; X509CertInfo certInfo; - X509CertInfo[] ci = req.getExtDataInCertInfoArray( - IRequest.CERT_INFO); + X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), + ""); return PolicyResult.REJECTED; // unrecoverable error. } @@ -228,43 +227,45 @@ public class AuthInfoAccessExt extends APolicyRule implements certInfo = ci[j]; if (certInfo == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, "")); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", - NAME, "Configuration Info Error"), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "POLICY_UNEXPECTED_POLICY_ERROR", NAME, "")); + setError(req, CMS.getUserMessage( + "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, + "Configuration Info Error"), ""); return PolicyResult.REJECTED; // unrecoverable error. } try { // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); // add access descriptions Enumeration e = getAccessDescriptions(); if (!e.hasMoreElements()) { return res; - } - + } + if (extensions == null) { // create extension if not exist - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, new CertificateVersion( + CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { // check to see if AIA is already exist try { extensions.delete(AuthInfoAccessExtension.NAME); - log(ILogger.LL_WARN, "Previous extension deleted: " + AuthInfoAccessExtension.NAME); + log(ILogger.LL_WARN, "Previous extension deleted: " + + AuthInfoAccessExtension.NAME); } catch (IOException ex) { } } // Create the extension - AuthInfoAccessExtension aiaExt = new - AuthInfoAccessExtension(mConfig.getBoolean( - PROP_CRITICAL, false)); + AuthInfoAccessExtension aiaExt = new AuthInfoAccessExtension( + mConfig.getBoolean(PROP_CRITICAL, false)); while (e.hasMoreElements()) { Vector ad = (Vector) e.nextElement(); @@ -276,19 +277,25 @@ public class AuthInfoAccessExt extends APolicyRule implements extensions.set(AuthInfoAccessExtension.NAME, aiaExt); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", - NAME, e.getMessage()), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); + setError(req, CMS.getUserMessage( + "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, + e.getMessage()), ""); return PolicyResult.REJECTED; // unrecoverable error. } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", - NAME, "Configuration Info Error"), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); + setError(req, CMS.getUserMessage( + "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, + "Configuration Info Error"), ""); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", - NAME, "Certificate Info Error"), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); + setError(req, CMS.getUserMessage( + "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, + "Certificate Info Error"), ""); return PolicyResult.REJECTED; // unrecoverable error. } } @@ -298,15 +305,15 @@ public class AuthInfoAccessExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); try { - params.addElement(PROP_CRITICAL + "=" + - mConfig.getBoolean(PROP_CRITICAL, false)); + params.addElement(PROP_CRITICAL + "=" + + mConfig.getBoolean(PROP_CRITICAL, false)); } catch (EBaseException e) { params.addElement(PROP_CRITICAL + "=false"); } @@ -324,46 +331,41 @@ public class AuthInfoAccessExt extends APolicyRule implements String method = null; try { - method = mConfig.getString(PROP_AD + - Integer.toString(i) + "_" + PROP_METHOD, - ""); + method = mConfig.getString(PROP_AD + Integer.toString(i) + "_" + + PROP_METHOD, ""); } catch (EBaseException e) { } - params.addElement(PROP_AD + - Integer.toString(i) + - "_" + PROP_METHOD + "=" + method); + params.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_METHOD + + "=" + method); String location_type = null; try { - location_type = mConfig.getString(PROP_AD + - Integer.toString(i) + "_" + PROP_LOCATION_TYPE, - IGeneralNameUtil.GENNAME_CHOICE_URL); + location_type = mConfig.getString(PROP_AD + Integer.toString(i) + + "_" + PROP_LOCATION_TYPE, + IGeneralNameUtil.GENNAME_CHOICE_URL); } catch (EBaseException e) { } - params.addElement(PROP_AD + - Integer.toString(i) + - "_" + PROP_LOCATION_TYPE + "=" + location_type); + params.addElement(PROP_AD + Integer.toString(i) + "_" + + PROP_LOCATION_TYPE + "=" + location_type); String location = null; try { - location = mConfig.getString(PROP_AD + - Integer.toString(i) + "_" + PROP_LOCATION, - ""); + location = mConfig.getString(PROP_AD + Integer.toString(i) + + "_" + PROP_LOCATION, ""); } catch (EBaseException e) { } - params.addElement(PROP_AD + - Integer.toString(i) + - "_" + PROP_LOCATION + "=" + location); + params.addElement(PROP_AD + Integer.toString(i) + "_" + + PROP_LOCATION + "=" + location); } return params; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); @@ -375,14 +377,14 @@ public class AuthInfoAccessExt extends APolicyRule implements // the CMS.cfg // for (int i = 0; i < MAX_AD; i++) { - defParams.addElement(PROP_AD + Integer.toString(i) + - "_" + PROP_METHOD + "="); - defParams.addElement(PROP_AD + Integer.toString(i) + - "_" + PROP_LOCATION_TYPE + "=" + IGeneralNameUtil.GENNAME_CHOICE_URL); - defParams.addElement(PROP_AD + Integer.toString(i) + - "_" + PROP_LOCATION + "="); + defParams.addElement(PROP_AD + Integer.toString(i) + "_" + + PROP_METHOD + "="); + defParams.addElement(PROP_AD + Integer.toString(i) + "_" + + PROP_LOCATION_TYPE + "=" + + IGeneralNameUtil.GENNAME_CHOICE_URL); + defParams.addElement(PROP_AD + Integer.toString(i) + "_" + + PROP_LOCATION + "="); } return defParams; } } - |