diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java | 210 |
1 files changed, 103 insertions, 107 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java index c9ce68f65..f4fac64fb 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -42,56 +41,53 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * - * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2. - * New Policy is com.netscape.certsrv.policy.SubjectAltNameExt. + * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2. New Policy is + * com.netscape.certsrv.policy.SubjectAltNameExt. * <p> * * Subject Alternative Name extension policy in CMS 4.1. - * - * Adds the subject alternative name extension depending on the - * certificate type requested. - * - * Two forms are supported. 1) For S/MIME certificates, email - * addresses are copied from data stored in the request by the - * authentication component. Both 'e' and 'altEmail' are supported - * so that both the primary address and alternative forms may be - * certified. Only the primary goes in the subjectName position (which - * should be phased out). - * - * e - * mailAlternateAddress + * + * Adds the subject alternative name extension depending on the certificate type + * requested. + * + * Two forms are supported. 1) For S/MIME certificates, email addresses are + * copied from data stored in the request by the authentication component. Both + * 'e' and 'altEmail' are supported so that both the primary address and + * alternative forms may be certified. Only the primary goes in the subjectName + * position (which should be phased out). + * + * e mailAlternateAddress * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubjAltNameExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { - // for future use. currently always allow. +public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, + IExtendedPluginInfo { + // for future use. currently always allow. protected static final String PROP_AGENT_OVERR = "allowAgentOverride"; protected static final String PROP_EE_OVERR = "AllowEEOverride"; - protected static final String PROP_ENABLE_MANUAL_VALUES = - "enableManualValues"; + protected static final String PROP_ENABLE_MANUAL_VALUES = "enableManualValues"; - // for future use. currently always non-critical - // (standard says SHOULD be marked critical if included.) + // for future use. currently always non-critical + // (standard says SHOULD be marked critical if included.) protected static final String PROP_CRITICAL = "critical"; - // for future use to allow overrides from forms. + // for future use to allow overrides from forms. // request must be agent approved or authenticated. protected boolean mAllowAgentOverride = false; protected boolean mAllowEEOverride = false; protected boolean mEnableManualValues = false; - // for future use. currently always critical - // (standard says SHOULD be marked critical if included.) + // for future use. currently always critical + // (standard says SHOULD be marked critical if included.) protected boolean mCritical = false; public SubjAltNameExt() { @@ -101,18 +97,18 @@ public class SubjAltNameExt extends APolicyRule public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL + ";boolean;RFC 2459 recommendation: If the certificate subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-subjaltname", - IExtendedPluginInfo.HELP_TEXT + - ";This policy inserts the Subject Alternative Name " + - "Extension into the certificate. See RFC 2459 (4.2.1.7). " + - "* Note: you probably want to use this policy in " + - "conjunction with an authentication manager which sets " + - "the 'mail' or 'mailalternateaddress' values in the authToken. " + - "See the 'ldapStringAttrs' parameter in the Directory-based " + - "authentication plugin" - }; + PROP_CRITICAL + + ";boolean;RFC 2459 recommendation: If the certificate subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subjaltname", + IExtendedPluginInfo.HELP_TEXT + + ";This policy inserts the Subject Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.7). " + + "* Note: you probably want to use this policy in " + + "conjunction with an authentication manager which sets " + + "the 'mail' or 'mailalternateaddress' values in the authToken. " + + "See the 'ldapStringAttrs' parameter in the Directory-based " + + "authentication plugin" }; return params; @@ -121,40 +117,40 @@ public class SubjAltNameExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=SubjAltNameExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=SubjAltNameExt + * ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // future use. mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false); mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false); mCritical = config.getBoolean(PROP_CRITICAL, false); - // mEnableManualValues = config.getBoolean(PROP_ENABLE_MANUAL_VALUES, false); + // mEnableManualValues = config.getBoolean(PROP_ENABLE_MANUAL_VALUES, + // false); } /** * Adds the subject alternative names extension if not set already. - * + * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // Find the X509CertInfo object in the request - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -174,12 +170,11 @@ public class SubjAltNameExt extends APolicyRule // // General error handling block // - apply: - try { + apply: try { // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); if (extensions != null) { // @@ -193,17 +188,16 @@ public class SubjAltNameExt extends APolicyRule } // - // Determine the type of the request. For future expansion + // Determine the type of the request. For future expansion // this test should dispatch to a specialized object to - // handle each particular type. For now just return for + // handle each particular type. For now just return for // non-client certs, and implement client certs directly here. // - String certType = - req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); + String certType = req.getExtDataInString(IRequest.HTTP_PARAMS, + IRequest.CERT_TYPE); - if (certType == null || - !certType.equals(IRequest.CLIENT_CERT) || - !req.getExtDataInBoolean(IRequest.SMIME, false)) { + if (certType == null || !certType.equals(IRequest.CLIENT_CERT) + || !req.getExtDataInBoolean(IRequest.SMIME, false)) { break apply; } @@ -212,30 +206,36 @@ public class SubjAltNameExt extends APolicyRule IAuthToken tok = findAuthToken(req, null); - if (tok == null) break apply; + if (tok == null) + break apply; Vector emails = getEmailList(tok); - if (emails == null) break apply; + if (emails == null) + break apply; - // Create the extension + // Create the extension SubjectAlternativeNameExtension subjAltNameExt = mkExt(emails); if (extensions == null) extensions = createCertificateExtensions(certInfo); - extensions.set(SubjectAlternativeNameExtension.NAME, - subjAltNameExt); + extensions + .set(SubjectAlternativeNameExtension.NAME, subjAltNameExt); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } @@ -243,18 +243,17 @@ public class SubjAltNameExt extends APolicyRule } /** - * Find a particular authentication token by manager name. - * If the token is not present return null + * Find a particular authentication token by manager name. If the token is + * not present return null */ - protected IAuthToken - findAuthToken(IRequest req, String authMgrName) { + protected IAuthToken findAuthToken(IRequest req, String authMgrName) { return req.getExtDataInAuthToken(IRequest.AUTH_TOKEN); } /** - * Generate a String Vector containing all the email addresses - * found in this Authentication token + * Generate a String Vector containing all the email addresses found in this + * Authentication token */ protected Vector /* of String */ getEmailList(IAuthToken tok) { @@ -264,7 +263,8 @@ public class SubjAltNameExt extends APolicyRule addValues(tok, "mail", v); addValues(tok, "mailalternateaddress", v); - if (v.size() == 0) return null; + if (v.size() == 0) + return null; return v; } @@ -272,11 +272,11 @@ public class SubjAltNameExt extends APolicyRule /** * Add attribute values from an LDAP attribute to a vector */ - protected void - addValues(IAuthToken tok, String attrName, Vector v) { + protected void addValues(IAuthToken tok, String attrName, Vector v) { String attr[] = tok.getInStringArray(attrName); - if (attr == null) return; + if (attr == null) + return; for (int i = 0; i < attr.length; i++) { v.addElement(attr[i]); @@ -286,9 +286,8 @@ public class SubjAltNameExt extends APolicyRule /** * Make a Subject name extension given a list of email addresses */ - protected SubjectAlternativeNameExtension - mkExt(Vector emails) - throws IOException { + protected SubjectAlternativeNameExtension mkExt(Vector emails) + throws IOException { SubjectAlternativeNameExtension sa; GeneralNames gns = new GeneralNames(); @@ -304,19 +303,17 @@ public class SubjAltNameExt extends APolicyRule } /** - * Create a new SET of extensions in the certificate info - * object. - * + * Create a new SET of extensions in the certificate info object. + * * This should be a method in the X509CertInfo object */ - protected CertificateExtensions - createCertificateExtensions(X509CertInfo certInfo) - throws IOException, CertificateException { + protected CertificateExtensions createCertificateExtensions( + X509CertInfo certInfo) throws IOException, CertificateException { CertificateExtensions extensions; // Force version to V3 - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, new CertificateVersion( + CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); @@ -326,34 +323,33 @@ public class SubjAltNameExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); - //params.addElement("PROP_AGENT_OVERR = " + mAllowAgentOverride); - //params.addElement("PROP_EE_OVERR = " + mAllowEEOverride); + // params.addElement("PROP_AGENT_OVERR = " + mAllowAgentOverride); + // params.addElement("PROP_EE_OVERR = " + mAllowEEOverride); params.addElement(PROP_CRITICAL + "=" + mCritical); // params.addElement(PROP_ENABLE_MANUAL_VALUES + " = " + - // mEnableManualValues); + // mEnableManualValues); return params; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); - //defParams.addElement("PROP_AGENT_OVERR = " + DEF_AGENT_OVERR); - //defParams.addElement("PROP_EE_OVERR = " + DEF_EE_OVERR); + // defParams.addElement("PROP_AGENT_OVERR = " + DEF_AGENT_OVERR); + // defParams.addElement("PROP_EE_OVERR = " + DEF_EE_OVERR); defParams.addElement(PROP_CRITICAL + "=false"); // defParams.addElement(PROP_ENABLE_MANUAL_VALUES + "= false"); return defParams; } } - |