diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java | 305 |
1 files changed, 157 insertions, 148 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java index f920b47ba..2ececcf9c 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -45,44 +46,45 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * NS Cert Type policy. Adds the ns cert type extension depending on cert type - * requested. + * NS Cert Type policy. + * Adds the ns cert type extension depending on cert type requested. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, - IExtendedPluginInfo { +public class NSCertTypeExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_SET_DEFAULT_BITS = "setDefaultBits"; protected static final boolean DEF_SET_DEFAULT_BITS = true; - protected static final String DEF_SET_DEFAULT_BITS_VAL = Boolean.valueOf( - DEF_SET_DEFAULT_BITS).toString(); + protected static final String DEF_SET_DEFAULT_BITS_VAL = + Boolean.valueOf(DEF_SET_DEFAULT_BITS).toString(); protected static final int DEF_PATHLEN = -1; - protected static final boolean[] DEF_BITS = new boolean[NSCertTypeExtension.NBITS]; + protected static final boolean[] DEF_BITS = + new boolean[NSCertTypeExtension.NBITS]; - // XXX for future use. currenlty always allow. + // XXX for future use. currenlty always allow. protected static final String PROP_AGENT_OVERR = "allowAgentOverride"; protected static final String PROP_EE_OVERR = "AllowEEOverride"; - // XXX for future use. currently always critical - // (standard says SHOULD be marked critical if included.) + // XXX for future use. currently always critical + // (standard says SHOULD be marked critical if included.) protected static final String PROP_CRITICAL = "critical"; - // XXX for future use to allow overrides from forms. + // XXX for future use to allow overrides from forms. // request must be agent approved or authenticated. protected boolean mAllowAgentOverride = false; protected boolean mAllowEEOverride = false; - // XXX for future use. currently always non-critical + // XXX for future use. currently always non-critical protected boolean mCritical = false; protected int mCAPathLen = -1; @@ -110,25 +112,25 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=nsCertTypeExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=nsCertTypeExt + * ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // XXX future use. - // mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false); - // mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false); + //mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false); + //mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false); mCritical = config.getBoolean(PROP_CRITICAL, false); - ICertAuthority certAuthority = (ICertAuthority) ((IPolicyProcessor) owner) - .getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority instanceof ICertificateAuthority) { CertificateChain caChain = certAuthority.getCACertChain(); @@ -139,34 +141,35 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, // CA reject if it does not allow any subordinate CA certs. if (caChain != null) { caCert = caChain.getFirstCertificate(); - if (caCert != null) + if (caCert != null) mCAPathLen = caCert.getBasicConstraints(); } } - mSetDefaultBits = mConfig.getBoolean(PROP_SET_DEFAULT_BITS, - DEF_SET_DEFAULT_BITS); + mSetDefaultBits = mConfig.getBoolean( + PROP_SET_DEFAULT_BITS, DEF_SET_DEFAULT_BITS); } /** - * Adds the ns cert type if not set already. reads ns cert type choices from - * form. If no choices from form will defaults to all. + * Adds the ns cert type if not set already. + * reads ns cert type choices from form. If no choices from form + * will defaults to all. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { - CMS.debug("NSCertTypeExt: Impl: " + NAME + ", Instance: " - + getInstanceName() + "::apply()"); + CMS.debug("NSCertTypeExt: Impl: " + NAME + ", Instance: " + getInstanceName() + "::apply()"); PolicyResult res = PolicyResult.ACCEPTED; - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo = null; if (ci == null || (certInfo = ci[0]) == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -181,29 +184,30 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { - String certType = req.getExtDataInString(IRequest.HTTP_PARAMS, - IRequest.CERT_TYPE); - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + String certType = + req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); NSCertTypeExtension nsCertTypeExt = null; if (extensions != null) { // See if extension is already set and contains correct values. try { - nsCertTypeExt = (NSCertTypeExtension) extensions - .get(NSCertTypeExtension.NAME); + nsCertTypeExt = (NSCertTypeExtension) + extensions.get(NSCertTypeExtension.NAME); } catch (IOException e) { // extension isn't there. nsCertTypeExt = null; } // XXX agent servlet currently sets this. it should be // delayed to here. - if (nsCertTypeExt != null - && extensionIsGood(nsCertTypeExt, req)) { - CMS.debug("NSCertTypeExt: already has correct ns cert type ext"); + if (nsCertTypeExt != null && + extensionIsGood(nsCertTypeExt, req)) { + CMS.debug( + "NSCertTypeExt: already has correct ns cert type ext"); return PolicyResult.ACCEPTED; - } else if ((nsCertTypeExt != null) - && (certType.equals("ocspResponder"))) { + } else if ((nsCertTypeExt != null) && + (certType.equals("ocspResponder"))) { // Fix for #528732 : Always delete // this extension from OCSP signing cert extensions.delete(NSCertTypeExtension.NAME); @@ -212,11 +216,12 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, } else { // create extensions set if none. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); - CMS.debug("NSCertTypeExt: Created extensions for adding ns cert type.."); + CMS.debug( + "NSCertTypeExt: Created extensions for adding ns cert type.."); } } // add ns cert type extension if not set or not set correctly. @@ -224,15 +229,13 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, bits = getBitsFromRequest(req, mSetDefaultBits); - // check if ca doesn't allow any subordinate ca - if (mCAPathLen == 0 && bits != null) { - if (bits[NSCertTypeExtension.SSL_CA_BIT] - || bits[NSCertTypeExtension.EMAIL_CA_BIT] - || bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT]) { - setError( - req, - CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), - NAME); + // check if ca doesn't allow any subordinate ca + if (mCAPathLen == 0 && bits != null) { + if (bits[NSCertTypeExtension.SSL_CA_BIT] || + bits[NSCertTypeExtension.EMAIL_CA_BIT] || + bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT]) { + setError(req, + CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), NAME); return PolicyResult.REJECTED; } } @@ -246,11 +249,11 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, int j; for (j = 0; bits != null && j < bits.length; j++) - if (bits[j]) - break; + if (bits[j]) break; if (bits == null || j == bits.length) { if (!mSetDefaultBits) { - CMS.debug("NSCertTypeExt: no bits requested, not setting default."); + CMS.debug( + "NSCertTypeExt: no bits requested, not setting default."); return PolicyResult.ACCEPTED; } else bits = DEF_BITS; @@ -260,40 +263,39 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, extensions.set(NSCertTypeExtension.NAME, nsCertTypeExt); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** - * check if ns cert type extension is set correctly, correct bits if not. if - * not authorized to set extension, bits will be replaced. + * check if ns cert type extension is set correctly, + * correct bits if not. + * if not authorized to set extension, bits will be replaced. */ - protected boolean extensionIsGood(NSCertTypeExtension nsCertTypeExt, - IRequest req) throws IOException, CertificateException { + protected boolean extensionIsGood( + NSCertTypeExtension nsCertTypeExt, IRequest req) + throws IOException, CertificateException { // always return false for now to make sure minimum is set. // agents and ee can add others. - // must be agent approved or authenticated for allowing extensions + // must be agent approved or authenticated for allowing extensions // which is always the case if we get to this point. IAuthToken token = req.getExtDataInAuthToken(IRequest.AUTH_TOKEN); if (!agentApproved(req) && token == null) { // don't know where this came from. // set all bits to false to reset. - CMS.debug("NSCertTypeExt: unknown origin: setting ns cert type bits to false"); + CMS.debug( + "NSCertTypeExt: unknown origin: setting ns cert type bits to false"); boolean[] bits = new boolean[8]; for (int i = bits.length - 1; i >= 0; i--) { @@ -313,37 +315,37 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, return true; } if (certType.equals(IRequest.CA_CERT)) { - if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CA_BIT) - && !nsCertTypeExt - .isSet(NSCertTypeExtension.EMAIL_CA_BIT) - && !nsCertTypeExt - .isSet(NSCertTypeExtension.OBJECT_SIGNING_CA_BIT)) { + if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CA_BIT) && + !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_CA_BIT) && + !nsCertTypeExt.isSet( + NSCertTypeExtension.OBJECT_SIGNING_CA_BIT)) { // min not set so set all. - CMS.debug("NSCertTypeExt: is extension good: no ca bits set. set all"); + CMS.debug( + "NSCertTypeExt: is extension good: no ca bits set. set all"); - nsCertTypeExt.set(NSCertTypeExtension.SSL_CA, - Boolean.valueOf(true)); + nsCertTypeExt.set(NSCertTypeExtension.SSL_CA, + Boolean.valueOf(true)); nsCertTypeExt.set(NSCertTypeExtension.EMAIL_CA, - Boolean.valueOf(true)); + Boolean.valueOf(true)); nsCertTypeExt.set(NSCertTypeExtension.OBJECT_SIGNING_CA, - Boolean.valueOf(true)); + Boolean.valueOf(true)); } return true; } else if (certType.equals(IRequest.CLIENT_CERT)) { - if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CLIENT_BIT) - && !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_BIT) - && !nsCertTypeExt - .isSet(NSCertTypeExtension.SSL_SERVER_BIT) - && !nsCertTypeExt - .isSet(NSCertTypeExtension.OBJECT_SIGNING_BIT)) { + if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CLIENT_BIT) && + !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_BIT) && + !nsCertTypeExt.isSet(NSCertTypeExtension.SSL_SERVER_BIT) && + !nsCertTypeExt.isSet( + NSCertTypeExtension.OBJECT_SIGNING_BIT)) { // min not set so set all. - CMS.debug("NSCertTypeExt: is extension good: no cl bits set. set all"); - nsCertTypeExt.set(NSCertTypeExtension.SSL_CLIENT, - new Boolean(true)); - nsCertTypeExt.set(NSCertTypeExtension.EMAIL, new Boolean( - true)); + CMS.debug( + "NSCertTypeExt: is extension good: no cl bits set. set all"); + nsCertTypeExt.set(NSCertTypeExtension.SSL_CLIENT, + new Boolean(true)); + nsCertTypeExt.set(NSCertTypeExtension.EMAIL, + new Boolean(true)); nsCertTypeExt.set(NSCertTypeExtension.OBJECT_SIGNING, - new Boolean(true)); + new Boolean(true)); } return true; } else if (certType.equals(IRequest.SERVER_CERT)) { @@ -356,13 +358,14 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, } /** - * Gets ns cert type bits from request. If none set, use cert type to - * determine correct bits. If no cert type, use default. - */ + * Gets ns cert type bits from request. + * If none set, use cert type to determine correct bits. + * If no cert type, use default. + */ protected boolean[] getBitsFromRequest(IRequest req, boolean setDefault) { boolean[] bits = null; - + CMS.debug("NSCertTypeExt: ns cert type getting ns cert type vars"); bits = getNSCertTypeBits(req); if (bits == null && setDefault) { @@ -385,31 +388,34 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, boolean[] bits = new boolean[NSCertTypeExtension.NBITS]; bits[NSCertTypeExtension.SSL_CLIENT_BIT] = - // XXX should change this to is ns cert type ssl_client defn. - req.getExtDataInBoolean(IRequest.HTTP_PARAMS, - NSCertTypeExtension.SSL_CLIENT, false); + // XXX should change this to is ns cert type ssl_client defn. + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.SSL_CLIENT, false); - bits[NSCertTypeExtension.SSL_SERVER_BIT] = req.getExtDataInBoolean( - IRequest.HTTP_PARAMS, NSCertTypeExtension.SSL_SERVER, false); + bits[NSCertTypeExtension.SSL_SERVER_BIT] = + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.SSL_SERVER, false); bits[NSCertTypeExtension.EMAIL_BIT] = - // XXX should change this to is ns cert type ssl_client defn. - req.getExtDataInBoolean(IRequest.HTTP_PARAMS, - NSCertTypeExtension.EMAIL, false); + // XXX should change this to is ns cert type ssl_client defn. + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.EMAIL, false); bits[NSCertTypeExtension.OBJECT_SIGNING_BIT] = - // XXX should change this to is ns cert type ssl_client defn. - req.getExtDataInBoolean(IRequest.HTTP_PARAMS, - NSCertTypeExtension.OBJECT_SIGNING, false); + // XXX should change this to is ns cert type ssl_client defn. + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.OBJECT_SIGNING, false); - bits[NSCertTypeExtension.SSL_CA_BIT] = req.getExtDataInBoolean( - IRequest.HTTP_PARAMS, NSCertTypeExtension.SSL_CA, false); + bits[NSCertTypeExtension.SSL_CA_BIT] = + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.SSL_CA, false); - bits[NSCertTypeExtension.EMAIL_CA_BIT] = req.getExtDataInBoolean( - IRequest.HTTP_PARAMS, NSCertTypeExtension.EMAIL_CA, false); + bits[NSCertTypeExtension.EMAIL_CA_BIT] = + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.EMAIL_CA, false); - bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT] = req - .getExtDataInBoolean(IRequest.HTTP_PARAMS, + bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT] = + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, NSCertTypeExtension.OBJECT_SIGNING_CA, false); // if nothing set, return null. @@ -433,24 +439,24 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, * get cert type bits according to cert type. */ protected boolean[] getCertTypeBits(IRequest req) { - String certType = req.getExtDataInString(IRequest.HTTP_PARAMS, - IRequest.CERT_TYPE); + String certType = + req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); - if (certType == null || certType.length() == 0) + if (certType == null || certType.length() == 0) return null; boolean[] bits = new boolean[KeyUsageExtension.NBITS]; - for (int i = bits.length - 1; i >= 0; i--) + for (int i = bits.length - 1; i >= 0; i--) bits[i] = false; if (certType.equals(IRequest.CLIENT_CERT)) { CMS.debug("NSCertTypeExt: setting bits for client cert"); - // we can only guess here when it's client. + // we can only guess here when it's client. // sets all client bit for default. bits[NSCertTypeExtension.SSL_CLIENT_BIT] = true; bits[NSCertTypeExtension.EMAIL_BIT] = true; - // bits[NSCertTypeExtension.OBJECT_SIGNING_BIT] = true; + //bits[NSCertTypeExtension.OBJECT_SIGNING_BIT] = true; } else if (certType.equals(IRequest.SERVER_CERT)) { CMS.debug("NSCertTypeExt: setting bits for server cert"); bits[NSCertTypeExtension.SSL_SERVER_BIT] = true; @@ -471,8 +477,9 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, } /** - * merge bits with those set from form. make sure required minimum is set. - * Agent or auth can set others. XXX form shouldn't set the extension + * merge bits with those set from form. + * make sure required minimum is set. Agent or auth can set others. + * XXX form shouldn't set the extension */ public void mergeBits(NSCertTypeExtension nsCertTypeExt, boolean[] bits) { for (int i = bits.length - 1; i >= 0; i--) { @@ -485,47 +492,49 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_CRITICAL + "=" + mCritical); params.addElement(PROP_SET_DEFAULT_BITS + "=" + mSetDefaultBits); - // new Boolean(mSetDefaultBits).toString()); + //new Boolean(mSetDefaultBits).toString()); return params; } private static Vector mDefParams = new Vector(); static { - mDefParams.addElement(PROP_CRITICAL + "=false"); - mDefParams.addElement(PROP_SET_DEFAULT_BITS + "=" - + DEF_SET_DEFAULT_BITS); + mDefParams.addElement( + PROP_CRITICAL + "=false"); + mDefParams.addElement( + PROP_SET_DEFAULT_BITS + "=" + DEF_SET_DEFAULT_BITS); } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL - + ";boolean;Netscape recommendation: non-critical.", - PROP_SET_DEFAULT_BITS - + ";boolean;Specify whether to set the Netscape certificate " - + "type extension with default bits ('ssl client' and 'email') in certificates " - + "specified by the predicate " + "expression.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-nscerttype", - IExtendedPluginInfo.HELP_TEXT - + ";Adds Netscape Certificate Type extension." }; + PROP_CRITICAL + ";boolean;Netscape recommendation: non-critical.", + PROP_SET_DEFAULT_BITS + ";boolean;Specify whether to set the Netscape certificate " + + "type extension with default bits ('ssl client' and 'email') in certificates " + + "specified by the predicate " + + "expression.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-nscerttype", + IExtendedPluginInfo.HELP_TEXT + + ";Adds Netscape Certificate Type extension." + }; return params; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } } + |