diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java | 206 |
1 files changed, 98 insertions, 108 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java index 717c19f70..733b75250 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -40,31 +39,28 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** - * Policy Constraints Extension Policy - * Adds the policy constraints extension to (CA) certificates. - * Filtering of CA certificates is done through predicates. + * Policy Constraints Extension Policy Adds the policy constraints extension to + * (CA) certificates. Filtering of CA certificates is done through predicates. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class PolicyConstraintsExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { +public class PolicyConstraintsExt extends APolicyRule implements + IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; - protected static final String - PROP_REQ_EXPLICIT_POLICY = "reqExplicitPolicy"; - protected static final String - PROP_INHIBIT_POLICY_MAPPING = "inhibitPolicyMapping"; + protected static final String PROP_REQ_EXPLICIT_POLICY = "reqExplicitPolicy"; + protected static final String PROP_INHIBIT_POLICY_MAPPING = "inhibitPolicyMapping"; protected static final boolean DEF_CRITICAL = false; - protected static final int DEF_REQ_EXPLICIT_POLICY = -1; // not set - protected static final int DEF_INHIBIT_POLICY_MAPPING = -1; // not set + protected static final int DEF_REQ_EXPLICIT_POLICY = -1; // not set + protected static final int DEF_INHIBIT_POLICY_MAPPING = -1; // not set protected boolean mEnabled = false; protected IConfigStore mConfig = null; @@ -79,10 +75,10 @@ public class PolicyConstraintsExt extends APolicyRule protected static Vector mDefaultParams = new Vector(); static { mDefaultParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefaultParams.addElement( - PROP_REQ_EXPLICIT_POLICY + "=" + DEF_REQ_EXPLICIT_POLICY); - mDefaultParams.addElement( - PROP_INHIBIT_POLICY_MAPPING + "=" + DEF_INHIBIT_POLICY_MAPPING); + mDefaultParams.addElement(PROP_REQ_EXPLICIT_POLICY + "=" + + DEF_REQ_EXPLICIT_POLICY); + mDefaultParams.addElement(PROP_INHIBIT_POLICY_MAPPING + "=" + + DEF_INHIBIT_POLICY_MAPPING); } public PolicyConstraintsExt() { @@ -93,100 +89,90 @@ public class PolicyConstraintsExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate=certType==ca - * ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate=certType==ca + * ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - // XXX should do do this ? - // if CA does not allow subordinate CAs by way of basic constraints, - // this policy always rejects + // XXX should do do this ? + // if CA does not allow subordinate CAs by way of basic constraints, + // this policy always rejects /***** - ICertAuthority certAuthority = (ICertAuthority) - ((GenericPolicyProcessor)owner).mAuthority; - if (certAuthority instanceof ICertificateAuthority) { - CertificateChain caChain = certAuthority.getCACertChain(); - X509Certificate caCert = null; - // Note that in RA the chain could be null if CA was not up when - // RA was started. In that case just set the length to -1 and let - // CA reject if it does not allow any subordinate CA certs. - if (caChain != null) { - caCert = caChain.getFirstCertificate(); - if (caCert != null) - mCAPathLen = caCert.getBasicConstraints(); - } - } + * ICertAuthority certAuthority = (ICertAuthority) + * ((GenericPolicyProcessor)owner).mAuthority; if (certAuthority + * instanceof ICertificateAuthority) { CertificateChain caChain = + * certAuthority.getCACertChain(); X509Certificate caCert = null; // + * Note that in RA the chain could be null if CA was not up when // RA + * was started. In that case just set the length to -1 and let // CA + * reject if it does not allow any subordinate CA certs. if (caChain != + * null) { caCert = caChain.getFirstCertificate(); if (caCert != null) + * mCAPathLen = caCert.getBasicConstraints(); } } ****/ - mEnabled = mConfig.getBoolean( - IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); - mReqExplicitPolicy = mConfig.getInteger( - PROP_REQ_EXPLICIT_POLICY, DEF_REQ_EXPLICIT_POLICY); - mInhibitPolicyMapping = mConfig.getInteger( - PROP_INHIBIT_POLICY_MAPPING, DEF_INHIBIT_POLICY_MAPPING); + mReqExplicitPolicy = mConfig.getInteger(PROP_REQ_EXPLICIT_POLICY, + DEF_REQ_EXPLICIT_POLICY); + mInhibitPolicyMapping = mConfig.getInteger(PROP_INHIBIT_POLICY_MAPPING, + DEF_INHIBIT_POLICY_MAPPING); - if (mReqExplicitPolicy < -1) + if (mReqExplicitPolicy < -1) mReqExplicitPolicy = -1; - if (mInhibitPolicyMapping < -1) + if (mInhibitPolicyMapping < -1) mInhibitPolicyMapping = -1; - - // create instance of policy constraings extension + + // create instance of policy constraings extension try { - mPolicyConstraintsExtension = - new PolicyConstraintsExtension(mCritical, - mReqExplicitPolicy, mInhibitPolicyMapping); - CMS.debug( - "PolicyConstraintsExt: Created Policy Constraints Extension: " + - mPolicyConstraintsExtension); + mPolicyConstraintsExtension = new PolicyConstraintsExtension( + mCritical, mReqExplicitPolicy, mInhibitPolicyMapping); + CMS.debug("PolicyConstraintsExt: Created Policy Constraints Extension: " + + mPolicyConstraintsExtension); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT", e.toString())); - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Could not init Policy Constraints Extension. Error: " + e)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", + "Could not init Policy Constraints Extension. Error: " + e)); } - // form instance params + // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement( - PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy); - mInstanceParams.addElement( - PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping); + mInstanceParams.addElement(PROP_REQ_EXPLICIT_POLICY + "=" + + mReqExplicitPolicy); + mInstanceParams.addElement(PROP_INHIBIT_POLICY_MAPPING + "=" + + mInhibitPolicyMapping); } /** * Adds Policy Constraints Extension to a (CA) certificate. * - * If a Policy constraints Extension is already there, accept it if - * it's been approved by agent, else replace it. - * - * @param req The request on which to apply policy. + * If a Policy constraints Extension is already there, accept it if it's + * been approved by agent, else replace it. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { - // if extension hasn't been properly configured reject requests until + // if extension hasn't been properly configured reject requests until // it has been resolved (or disabled). if (mPolicyConstraintsExtension == null) { return PolicyResult.ACCEPTED; } // get certInfo from request. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -205,16 +191,16 @@ public class PolicyConstraintsExt extends APolicyRule // else ignore. try { PolicyConstraintsExtension policyConstraintsExt = null; - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { - policyConstraintsExt = (PolicyConstraintsExtension) - extensions.get(PolicyConstraintsExtension.NAME); + policyConstraintsExt = (PolicyConstraintsExtension) extensions + .get(PolicyConstraintsExtension.NAME); } } catch (IOException e) { - // extension isn't there. + // extension isn't there. } if (policyConstraintsExt != null) { @@ -226,65 +212,69 @@ public class PolicyConstraintsExt extends APolicyRule } if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, new CertificateVersion( + CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } - extensions.set( - "PolicyConstriantsExt", mPolicyConstraintsExtension); + extensions.set("PolicyConstriantsExt", mPolicyConstraintsExtension); CMS.debug("PolicyConstraintsExt: added our policy constraints extension"); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT", e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT", e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefaultParams; } /** - * gets plugin info for pretty console edit displays. + * gets plugin info for pretty console edit displays. */ public String[] getExtendedPluginInfo(Locale locale) { mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement( - PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy); - mInstanceParams.addElement( - PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping); + mInstanceParams.addElement(PROP_REQ_EXPLICIT_POLICY + "=" + + mReqExplicitPolicy); + mInstanceParams.addElement(PROP_INHIBIT_POLICY_MAPPING + "=" + + mInhibitPolicyMapping); String[] params = { - PROP_CRITICAL + ";boolean;RFC 2459 recommendation: may be critical or non-critical.", - PROP_REQ_EXPLICIT_POLICY + ";integer;Number of addional certificates that may appear in the path before an explicit policy is required. If less than 0 this field is unset in the extension.", - PROP_INHIBIT_POLICY_MAPPING + ";integer;Number of addional certificates that may appear in the path before policy mapping is no longer permitted. If less than 0 this field is unset in the extension.", - IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-policyconstraints" - }; + PROP_CRITICAL + + ";boolean;RFC 2459 recommendation: may be critical or non-critical.", + PROP_REQ_EXPLICIT_POLICY + + ";integer;Number of addional certificates that may appear in the path before an explicit policy is required. If less than 0 this field is unset in the extension.", + PROP_INHIBIT_POLICY_MAPPING + + ";integer;Number of addional certificates that may appear in the path before policy mapping is no longer permitted. If less than 0 this field is unset in the extension.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-policyconstraints" }; return params; } } - |