diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java')
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java | 362 |
1 files changed, 0 insertions, 362 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java deleted file mode 100644 index 6594cc4a2..000000000 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java +++ /dev/null @@ -1,362 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.policy.extensions; - -import java.io.IOException; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.Locale; -import java.util.Vector; - -import netscape.security.x509.CertificateChain; -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateVersion; -import netscape.security.x509.KeyUsageExtension; -import netscape.security.x509.X509CertInfo; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authority.ICertAuthority; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.base.ISubsystem; -import com.netscape.certsrv.ca.ICertificateAuthority; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.policy.IEnrollmentPolicy; -import com.netscape.certsrv.policy.IPolicyProcessor; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.request.PolicyResult; -import com.netscape.cms.policy.APolicyRule; - -/** - * Policy to add Key Usage Extension. - * Adds the key usage extension based on what's requested. - * <P> - * - * <PRE> - * NOTE: The Policy Framework has been replaced by the Profile Framework. - * </PRE> - * <P> - * - * @deprecated - * @version $Revision$, $Date$ - */ -public class KeyUsageExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { - - private final static String HTTP_INPUT = "HTTP_INPUT"; - protected static final boolean[] DEF_BITS = - new boolean[KeyUsageExtension.NBITS]; - protected int mCAPathLen = -1; - protected IConfigStore mConfig = null; - protected static final String PROP_CRITICAL = "critical"; - protected static final String PROP_DIGITAL_SIGNATURE = "digitalSignature"; - protected static final String PROP_NON_REPUDIATION = "nonRepudiation"; - protected static final String PROP_KEY_ENCIPHERMENT = "keyEncipherment"; - protected static final String PROP_DATA_ENCIPHERMENT = "dataEncipherment"; - protected static final String PROP_KEY_AGREEMENT = "keyAgreement"; - protected static final String PROP_KEY_CERTSIGN = "keyCertsign"; - protected static final String PROP_CRL_SIGN = "crlSign"; - protected static final String PROP_ENCIPHER_ONLY = "encipherOnly"; - protected static final String PROP_DECIPHER_ONLY = "decipherOnly"; - - protected boolean mCritical; - protected String mDigitalSignature; - protected String mNonRepudiation; - protected String mKeyEncipherment; - protected String mDataEncipherment; - protected String mKeyAgreement; - protected String mKeyCertsign; - protected String mCrlSign; - protected String mEncipherOnly; - protected String mDecipherOnly; - - protected KeyUsageExtension mKeyUsage; - - public KeyUsageExt() { - NAME = "KeyUsageExtPolicy"; - DESC = "Sets Key Usage Extension in certificates."; - } - - /** - * Initializes this policy rule. - * <P> - * - * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=KeyUsageExt ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>. - * - * @param config The config store reference - */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { - mConfig = config; - - ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); - - if (certAuthority == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Cannot find the Certificate Manager or Registration Manager")); - } - - if (certAuthority instanceof ICertificateAuthority) { - CertificateChain caChain = certAuthority.getCACertChain(); - X509Certificate caCert = null; - - // Note that in RA the chain could be null if CA was not up when - // RA was started. In that case just set the length to -1 and let - // CA reject if it does not allow any subordinate CA certs. - if (caChain != null) { - caCert = caChain.getFirstCertificate(); - mCAPathLen = caCert.getBasicConstraints(); - } - } - - mCritical = mConfig.getBoolean(PROP_CRITICAL, true); - mDigitalSignature = mConfig.getString(PROP_DIGITAL_SIGNATURE, HTTP_INPUT); - mNonRepudiation = mConfig.getString(PROP_NON_REPUDIATION, HTTP_INPUT); - mKeyEncipherment = mConfig.getString(PROP_KEY_ENCIPHERMENT, HTTP_INPUT); - mDataEncipherment = mConfig.getString(PROP_DATA_ENCIPHERMENT, HTTP_INPUT); - mKeyAgreement = mConfig.getString(PROP_KEY_AGREEMENT, HTTP_INPUT); - mKeyCertsign = mConfig.getString(PROP_KEY_CERTSIGN, HTTP_INPUT); - mCrlSign = mConfig.getString(PROP_CRL_SIGN, HTTP_INPUT); - mEncipherOnly = mConfig.getString(PROP_ENCIPHER_ONLY, HTTP_INPUT); - mDecipherOnly = mConfig.getString(PROP_DECIPHER_ONLY, HTTP_INPUT); - } - - /** - * Adds the key usage extension if not set already. - * (CRMF, agent, authentication (currently) or PKCS#10 (future) - * or RA could have set the extension.) - * If not set, set from http input parameters or use default if - * no http input parameters are set. - * - * Note: this allows any bits requested - does not check if user - * authenticated is allowed to have a Key Usage Extension with - * those bits. Unless the CA's certificate path length is 0, then - * we do not allow CA sign or CRL sign bits in any request. - * - * <P> - * - * @param req The request on which to apply policy. - * @return The policy result object. - */ - public PolicyResult apply(IRequest req) { - - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - - if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; // unrecoverable error. - } - - for (int i = 0; i < ci.length; i++) { - PolicyResult certRes = applyCert(req, ci[i]); - - if (certRes == PolicyResult.REJECTED) - return certRes; - } - return PolicyResult.ACCEPTED; - } - - public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { - try { - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); - KeyUsageExtension ext = null; - - if (extensions != null) { - try { - ext = (KeyUsageExtension) - extensions.get(KeyUsageExtension.NAME); - } catch (IOException e) { - // extension isn't there. - ext = null; - } - // check if CA does not allow subordinate CA certs. - // otherwise accept existing key usage extension. - if (ext != null) { - if (mCAPathLen == 0) { - boolean[] bits = ext.getBits(); - - if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT && - bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) || - (bits.length > KeyUsageExtension.CRL_SIGN_BIT && - bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) { - setError(req, - CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), - NAME); - return PolicyResult.REJECTED; - } - } - return PolicyResult.ACCEPTED; - } - } else { - // create extensions set if none. - if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); - extensions = new CertificateExtensions(); - certInfo.set(X509CertInfo.EXTENSIONS, extensions); - } - } - - boolean[] bits = new boolean[KeyUsageExtension.NBITS]; - - bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature", - mDigitalSignature, req); - bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation", - mNonRepudiation, req); - bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment", - mKeyEncipherment, req); - bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment", - mDataEncipherment, req); - bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement", - mKeyAgreement, req); - bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign", - mKeyCertsign, req); - bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, req); - bits[KeyUsageExtension.ENCIPHER_ONLY_BIT] = getBit("encipher_only", - mEncipherOnly, req); - bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only", - mDecipherOnly, req); - - // don't allow no bits set or the extension does not - // encode/decode properlly. - boolean bitset = false; - - for (int i = 0; i < bits.length; i++) { - if (bits[i]) { - bitset = true; - break; - } - } - if (!bitset) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME)); - setError(req, CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"), - NAME); - return PolicyResult.REJECTED; - } - - // create the extension. - try { - mKeyUsage = new KeyUsageExtension(mCritical, bits); - } catch (IOException e) { - } - extensions.set(KeyUsageExtension.NAME, mKeyUsage); - return PolicyResult.ACCEPTED; - } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); - return PolicyResult.REJECTED; // unrecoverable error. - } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); - return PolicyResult.REJECTED; // unrecoverable error. - } - } - - /** - * Return configured parameters for a policy rule instance. - * - * @return nvPairs A Vector of name/value pairs. - */ - public Vector<String> getInstanceParams() { - Vector<String> params = new Vector<String>(); - - params.addElement(PROP_CRITICAL + "=" + mCritical); - params.addElement(PROP_DIGITAL_SIGNATURE + "=" + mDigitalSignature); - params.addElement(PROP_NON_REPUDIATION + "=" + mNonRepudiation); - params.addElement(PROP_KEY_ENCIPHERMENT + "=" + mKeyEncipherment); - params.addElement(PROP_DATA_ENCIPHERMENT + "=" + mDataEncipherment); - params.addElement(PROP_KEY_AGREEMENT + "=" + mKeyAgreement); - params.addElement(PROP_KEY_CERTSIGN + "=" + mKeyCertsign); - params.addElement(PROP_CRL_SIGN + "=" + mCrlSign); - params.addElement(PROP_ENCIPHER_ONLY + "=" + mEncipherOnly); - params.addElement(PROP_DECIPHER_ONLY + "=" + mDecipherOnly); - return params; - } - - private static Vector<String> mDefParams = new Vector<String>(); - static { - mDefParams.addElement(PROP_CRITICAL + "=true"); - mDefParams.addElement(PROP_DIGITAL_SIGNATURE + "="); - mDefParams.addElement(PROP_NON_REPUDIATION + "="); - mDefParams.addElement(PROP_KEY_ENCIPHERMENT + "="); - mDefParams.addElement(PROP_DATA_ENCIPHERMENT + "="); - mDefParams.addElement(PROP_KEY_AGREEMENT + "="); - mDefParams.addElement(PROP_KEY_CERTSIGN + "="); - mDefParams.addElement(PROP_CRL_SIGN + "="); - mDefParams.addElement(PROP_ENCIPHER_ONLY + "="); - mDefParams.addElement(PROP_DECIPHER_ONLY + "="); - } - - public String[] getExtendedPluginInfo(Locale locale) { - String[] params = { - PROP_CRITICAL + ";boolean;RFC 2459 recommendation: SHOULD be critical", - PROP_DIGITAL_SIGNATURE - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_NON_REPUDIATION - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_KEY_ENCIPHERMENT - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_DATA_ENCIPHERMENT - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_KEY_AGREEMENT - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_KEY_CERTSIGN - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_CRL_SIGN - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_ENCIPHER_ONLY - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_DECIPHER_ONLY - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-keyusage", - IExtendedPluginInfo.HELP_TEXT + - ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)" - - }; - - return params; - } - - /** - * Return default parameters for a policy implementation. - * - * @return nvPairs A Vector of name/value pairs. - */ - public Vector<String> getDefaultParams() { - return mDefParams; - } - - private boolean getBit(String usage, String choice, IRequest req) { - if (choice.equals(HTTP_INPUT)) { - choice = req.getExtDataInString(IRequest.HTTP_PARAMS, usage); - if (choice == null) - choice = "false"; - } - return Boolean.valueOf(choice).booleanValue(); - } -} |