summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java139
1 files changed, 66 insertions, 73 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java
index c9ce68f65..33a8c3719 100644
--- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java
+++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.policy.extensions;
-
import java.io.IOException;
import java.security.cert.CertificateException;
import java.util.Locale;
@@ -42,43 +41,36 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.PolicyResult;
import com.netscape.cms.policy.APolicyRule;
-
/**
*
- * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2.
- * New Policy is com.netscape.certsrv.policy.SubjectAltNameExt.
+ * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2.
+ * New Policy is com.netscape.certsrv.policy.SubjectAltNameExt.
* <p>
*
* Subject Alternative Name extension policy in CMS 4.1.
- *
- * Adds the subject alternative name extension depending on the
- * certificate type requested.
- *
- * Two forms are supported. 1) For S/MIME certificates, email
- * addresses are copied from data stored in the request by the
- * authentication component. Both 'e' and 'altEmail' are supported
- * so that both the primary address and alternative forms may be
- * certified. Only the primary goes in the subjectName position (which
- * should be phased out).
- *
- * e
- * mailAlternateAddress
+ *
+ * Adds the subject alternative name extension depending on the certificate type requested.
+ *
+ * Two forms are supported. 1) For S/MIME certificates, email addresses are copied from data stored in the request by the authentication component. Both 'e' and 'altEmail' are supported so that both the primary address and alternative forms may be certified. Only the primary goes in the subjectName position (which should be phased out).
+ *
+ * e mailAlternateAddress
* <P>
+ *
* <PRE>
* NOTE: The Policy Framework has been replaced by the Profile Framework.
* </PRE>
* <P>
- *
+ *
* @deprecated
* @version $Revision$, $Date$
*/
public class SubjAltNameExt extends APolicyRule
- implements IEnrollmentPolicy, IExtendedPluginInfo {
+ implements IEnrollmentPolicy, IExtendedPluginInfo {
// for future use. currently always allow.
protected static final String PROP_AGENT_OVERR = "allowAgentOverride";
protected static final String PROP_EE_OVERR = "AllowEEOverride";
protected static final String PROP_ENABLE_MANUAL_VALUES =
- "enableManualValues";
+ "enableManualValues";
// for future use. currently always non-critical
// (standard says SHOULD be marked critical if included.)
@@ -103,15 +95,15 @@ public class SubjAltNameExt extends APolicyRule
String[] params = {
PROP_CRITICAL + ";boolean;RFC 2459 recommendation: If the certificate subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.",
IExtendedPluginInfo.HELP_TOKEN +
- ";configuration-policyrules-subjaltname",
+ ";configuration-policyrules-subjaltname",
IExtendedPluginInfo.HELP_TEXT +
- ";This policy inserts the Subject Alternative Name " +
- "Extension into the certificate. See RFC 2459 (4.2.1.7). " +
- "* Note: you probably want to use this policy in " +
- "conjunction with an authentication manager which sets " +
- "the 'mail' or 'mailalternateaddress' values in the authToken. " +
- "See the 'ldapStringAttrs' parameter in the Directory-based " +
- "authentication plugin"
+ ";This policy inserts the Subject Alternative Name " +
+ "Extension into the certificate. See RFC 2459 (4.2.1.7). " +
+ "* Note: you probably want to use this policy in " +
+ "conjunction with an authentication manager which sets " +
+ "the 'mail' or 'mailalternateaddress' values in the authToken. " +
+ "See the 'ldapStringAttrs' parameter in the Directory-based " +
+ "authentication plugin"
};
return params;
@@ -121,16 +113,15 @@ public class SubjAltNameExt extends APolicyRule
/**
* Initializes this policy rule.
* <P>
- *
+ *
* The entries may be of the form:
- *
- * ra.Policy.rule.<ruleName>.implName=SubjAltNameExt
- * ra.Policy.rule.<ruleName>.enable=true
- *
- * @param config The config store reference
+ *
+ * ra.Policy.rule.<ruleName>.implName=SubjAltNameExt ra.Policy.rule.<ruleName>.enable=true
+ *
+ * @param config The config store reference
*/
public void init(ISubsystem owner, IConfigStore config)
- throws EBaseException {
+ throws EBaseException {
// future use.
mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false);
mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false);
@@ -140,21 +131,21 @@ public class SubjAltNameExt extends APolicyRule
/**
* Adds the subject alternative names extension if not set already.
- *
+ *
* <P>
- *
- * @param req The request on which to apply policy.
+ *
+ * @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
PolicyResult res = PolicyResult.ACCEPTED;
// Find the X509CertInfo object in the request
- X509CertInfo[] ci =
- req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ X509CertInfo[] ci =
+ req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
if (ci == null || ci[0] == null) {
- setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+ setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
return PolicyResult.REJECTED; // unrecoverable error.
}
@@ -174,12 +165,11 @@ public class SubjAltNameExt extends APolicyRule
//
// General error handling block
//
- apply:
- try {
+ apply: try {
// Find the extensions in the certInfo
CertificateExtensions extensions = (CertificateExtensions)
- certInfo.get(X509CertInfo.EXTENSIONS);
+ certInfo.get(X509CertInfo.EXTENSIONS);
if (extensions != null) {
//
@@ -199,11 +189,11 @@ public class SubjAltNameExt extends APolicyRule
// non-client certs, and implement client certs directly here.
//
String certType =
- req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
+ req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
if (certType == null ||
- !certType.equals(IRequest.CLIENT_CERT) ||
- !req.getExtDataInBoolean(IRequest.SMIME, false)) {
+ !certType.equals(IRequest.CLIENT_CERT) ||
+ !req.getExtDataInBoolean(IRequest.SMIME, false)) {
break apply;
}
@@ -212,30 +202,32 @@ public class SubjAltNameExt extends APolicyRule
IAuthToken tok = findAuthToken(req, null);
- if (tok == null) break apply;
+ if (tok == null)
+ break apply;
Vector emails = getEmailList(tok);
- if (emails == null) break apply;
+ if (emails == null)
+ break apply;
- // Create the extension
+ // Create the extension
SubjectAlternativeNameExtension subjAltNameExt = mkExt(emails);
if (extensions == null)
extensions = createCertificateExtensions(certInfo);
extensions.set(SubjectAlternativeNameExtension.NAME,
- subjAltNameExt);
+ subjAltNameExt);
} catch (IOException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
- NAME, e.getMessage());
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
+ setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+ NAME, e.getMessage());
return PolicyResult.REJECTED; // unrecoverable error.
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString()));
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
- NAME, "Certificate Info Error");
+ setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+ NAME, "Certificate Info Error");
return PolicyResult.REJECTED; // unrecoverable error.
}
@@ -247,7 +239,7 @@ public class SubjAltNameExt extends APolicyRule
* If the token is not present return null
*/
protected IAuthToken
- findAuthToken(IRequest req, String authMgrName) {
+ findAuthToken(IRequest req, String authMgrName) {
return req.getExtDataInAuthToken(IRequest.AUTH_TOKEN);
}
@@ -264,7 +256,8 @@ public class SubjAltNameExt extends APolicyRule
addValues(tok, "mail", v);
addValues(tok, "mailalternateaddress", v);
- if (v.size() == 0) return null;
+ if (v.size() == 0)
+ return null;
return v;
}
@@ -273,10 +266,11 @@ public class SubjAltNameExt extends APolicyRule
* Add attribute values from an LDAP attribute to a vector
*/
protected void
- addValues(IAuthToken tok, String attrName, Vector v) {
+ addValues(IAuthToken tok, String attrName, Vector v) {
String attr[] = tok.getInStringArray(attrName);
- if (attr == null) return;
+ if (attr == null)
+ return;
for (int i = 0; i < attr.length; i++) {
v.addElement(attr[i]);
@@ -287,8 +281,8 @@ public class SubjAltNameExt extends APolicyRule
* Make a Subject name extension given a list of email addresses
*/
protected SubjectAlternativeNameExtension
- mkExt(Vector emails)
- throws IOException {
+ mkExt(Vector emails)
+ throws IOException {
SubjectAlternativeNameExtension sa;
GeneralNames gns = new GeneralNames();
@@ -306,17 +300,17 @@ public class SubjAltNameExt extends APolicyRule
/**
* Create a new SET of extensions in the certificate info
* object.
- *
+ *
* This should be a method in the X509CertInfo object
*/
- protected CertificateExtensions
- createCertificateExtensions(X509CertInfo certInfo)
- throws IOException, CertificateException {
+ protected CertificateExtensions
+ createCertificateExtensions(X509CertInfo certInfo)
+ throws IOException, CertificateException {
CertificateExtensions extensions;
// Force version to V3
- certInfo.set(X509CertInfo.VERSION,
- new CertificateVersion(CertificateVersion.V3));
+ certInfo.set(X509CertInfo.VERSION,
+ new CertificateVersion(CertificateVersion.V3));
extensions = new CertificateExtensions();
certInfo.set(X509CertInfo.EXTENSIONS, extensions);
@@ -326,10 +320,10 @@ public class SubjAltNameExt extends APolicyRule
/**
* Return configured parameters for a policy rule instance.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector getInstanceParams() {
+ public Vector getInstanceParams() {
Vector params = new Vector();
//params.addElement("PROP_AGENT_OVERR = " + mAllowAgentOverride);
@@ -342,10 +336,10 @@ public class SubjAltNameExt extends APolicyRule
/**
* Return default parameters for a policy implementation.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector getDefaultParams() {
+ public Vector getDefaultParams() {
Vector defParams = new Vector();
//defParams.addElement("PROP_AGENT_OVERR = " + DEF_AGENT_OVERR);
@@ -356,4 +350,3 @@ public class SubjAltNameExt extends APolicyRule
return defParams;
}
}
-
generated by cgit (git 2.34.1) at 2024-07-02 05:17:11 +0000