diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java | 222 |
1 files changed, 118 insertions, 104 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java index 4f7a72c4d..b6311eaa4 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -44,25 +43,24 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** - * Policy to add Key Usage Extension. - * Adds the key usage extension based on what's requested. + * Policy to add Key Usage Extension. Adds the key usage extension based on + * what's requested. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class KeyUsageExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { +public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, + IExtendedPluginInfo { private final static String HTTP_INPUT = "HTTP_INPUT"; - protected static final boolean[] DEF_BITS = - new boolean[KeyUsageExtension.NBITS]; + protected static final boolean[] DEF_BITS = new boolean[KeyUsageExtension.NBITS]; protected int mCAPathLen = -1; protected IConfigStore mConfig = null; protected static final String PROP_CRITICAL = "critical"; @@ -97,35 +95,35 @@ public class KeyUsageExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=KeyUsageExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>. - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=KeyUsageExt + * ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>. + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) ((IPolicyProcessor) owner) + .getAuthority(); if (certAuthority == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Cannot find the Certificate Manager or Registration Manager")); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Cannot find the Certificate Manager or Registration Manager")); } if (certAuthority instanceof ICertificateAuthority) { CertificateChain caChain = certAuthority.getCACertChain(); X509Certificate caCert = null; - // Note that in RA the chain could be null if CA was not up when - // RA was started. In that case just set the length to -1 and let - // CA reject if it does not allow any subordinate CA certs. + // Note that in RA the chain could be null if CA was not up when + // RA was started. In that case just set the length to -1 and let + // CA reject if it does not allow any subordinate CA certs. if (caChain != null) { caCert = caChain.getFirstCertificate(); mCAPathLen = caCert.getBasicConstraints(); @@ -133,10 +131,12 @@ public class KeyUsageExt extends APolicyRule } mCritical = mConfig.getBoolean(PROP_CRITICAL, true); - mDigitalSignature = mConfig.getString(PROP_DIGITAL_SIGNATURE, HTTP_INPUT); + mDigitalSignature = mConfig.getString(PROP_DIGITAL_SIGNATURE, + HTTP_INPUT); mNonRepudiation = mConfig.getString(PROP_NON_REPUDIATION, HTTP_INPUT); mKeyEncipherment = mConfig.getString(PROP_KEY_ENCIPHERMENT, HTTP_INPUT); - mDataEncipherment = mConfig.getString(PROP_DATA_ENCIPHERMENT, HTTP_INPUT); + mDataEncipherment = mConfig.getString(PROP_DATA_ENCIPHERMENT, + HTTP_INPUT); mKeyAgreement = mConfig.getString(PROP_KEY_AGREEMENT, HTTP_INPUT); mKeyCertsign = mConfig.getString(PROP_KEY_CERTSIGN, HTTP_INPUT); mCrlSign = mConfig.getString(PROP_CRL_SIGN, HTTP_INPUT); @@ -145,30 +145,28 @@ public class KeyUsageExt extends APolicyRule } /** - * Adds the key usage extension if not set already. - * (CRMF, agent, authentication (currently) or PKCS#10 (future) - * or RA could have set the extension.) - * If not set, set from http input parameters or use default if + * Adds the key usage extension if not set already. (CRMF, agent, + * authentication (currently) or PKCS#10 (future) or RA could have set the + * extension.) If not set, set from http input parameters or use default if * no http input parameters are set. * - * Note: this allows any bits requested - does not check if user - * authenticated is allowed to have a Key Usage Extension with - * those bits. Unless the CA's certificate path length is 0, then - * we do not allow CA sign or CRL sign bits in any request. + * Note: this allows any bits requested - does not check if user + * authenticated is allowed to have a Key Usage Extension with those bits. + * Unless the CA's certificate path length is 0, then we do not allow CA + * sign or CRL sign bits in any request. * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -183,31 +181,30 @@ public class KeyUsageExt extends APolicyRule public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); KeyUsageExtension ext = null; if (extensions != null) { try { - ext = (KeyUsageExtension) - extensions.get(KeyUsageExtension.NAME); + ext = (KeyUsageExtension) extensions + .get(KeyUsageExtension.NAME); } catch (IOException e) { // extension isn't there. ext = null; } - // check if CA does not allow subordinate CA certs. + // check if CA does not allow subordinate CA certs. // otherwise accept existing key usage extension. if (ext != null) { if (mCAPathLen == 0) { boolean[] bits = ext.getBits(); - if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT && - bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) || - (bits.length > KeyUsageExtension.CRL_SIGN_BIT && - bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) { - setError(req, - CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), - NAME); + if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT && bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) + || (bits.length > KeyUsageExtension.CRL_SIGN_BIT && bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) { + setError( + req, + CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), + NAME); return PolicyResult.REJECTED; } } @@ -216,8 +213,8 @@ public class KeyUsageExt extends APolicyRule } else { // create extensions set if none. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, new CertificateVersion( + CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } @@ -225,41 +222,45 @@ public class KeyUsageExt extends APolicyRule boolean[] bits = new boolean[KeyUsageExtension.NBITS]; - bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature", - mDigitalSignature, req); - bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation", - mNonRepudiation, req); - bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment", - mKeyEncipherment, req); - bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment", - mDataEncipherment, req); - bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement", - mKeyAgreement, req); - bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign", - mKeyCertsign, req); - bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, req); + bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit( + "digital_signature", mDigitalSignature, req); + bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit( + "non_repudiation", mNonRepudiation, req); + bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit( + "key_encipherment", mKeyEncipherment, req); + bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit( + "data_encipherment", mDataEncipherment, req); + bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement", + mKeyAgreement, req); + bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign", + mKeyCertsign, req); + bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, + req); bits[KeyUsageExtension.ENCIPHER_ONLY_BIT] = getBit("encipher_only", - mEncipherOnly, req); - bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only", - mDecipherOnly, req); - - // don't allow no bits set or the extension does not + mEncipherOnly, req); + bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only", + mDecipherOnly, req); + + // don't allow no bits set or the extension does not // encode/decode properlly. boolean bitset = false; for (int i = 0; i < bits.length; i++) { if (bits[i]) { - bitset = true; + bitset = true; break; } } if (!bitset) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME)); - setError(req, CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"), - NAME); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME)); + setError( + req, + CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"), + NAME); return PolicyResult.REJECTED; } - + // create the extension. try { mKeyUsage = new KeyUsageExtension(mCritical, bits); @@ -268,24 +269,28 @@ public class KeyUsageExt extends APolicyRule extensions.set(KeyUsageExtension.NAME, mKeyUsage); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_CRITICAL + "=" + mCritical); @@ -317,32 +322,42 @@ public class KeyUsageExt extends APolicyRule public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL + ";boolean;RFC 2459 recommendation: SHOULD be critical", - PROP_DIGITAL_SIGNATURE + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_NON_REPUDIATION + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_KEY_ENCIPHERMENT + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_DATA_ENCIPHERMENT + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_KEY_AGREEMENT + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_KEY_CERTSIGN + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_CRL_SIGN + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_ENCIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_DECIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-keyusage", - IExtendedPluginInfo.HELP_TEXT + - ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)" - - }; + PROP_CRITICAL + + ";boolean;RFC 2459 recommendation: SHOULD be critical", + PROP_DIGITAL_SIGNATURE + + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_NON_REPUDIATION + + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_KEY_ENCIPHERMENT + + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_DATA_ENCIPHERMENT + + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_KEY_AGREEMENT + + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_KEY_CERTSIGN + + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_CRL_SIGN + + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_ENCIPHER_ONLY + + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_DECIPHER_ONLY + + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-keyusage", + IExtendedPluginInfo.HELP_TEXT + + ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)" + + }; return params; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } @@ -355,4 +370,3 @@ public class KeyUsageExt extends APolicyRule return Boolean.valueOf(choice).booleanValue(); } } - |