diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java | 331 |
1 files changed, 0 insertions, 331 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java deleted file mode 100644 index 62f0b21da..000000000 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java +++ /dev/null @@ -1,331 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.policy.extensions; - -import java.io.IOException; -import java.security.cert.CertificateException; -import java.util.Enumeration; -import java.util.Locale; -import java.util.Vector; - -import netscape.security.x509.CertificateExtensions; -import netscape.security.x509.CertificateVersion; -import netscape.security.x509.GeneralName; -import netscape.security.x509.GeneralNames; -import netscape.security.x509.SubjectAlternativeNameExtension; -import netscape.security.x509.X509CertInfo; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IExtendedPluginInfo; -import com.netscape.certsrv.base.ISubsystem; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.policy.IEnrollmentPolicy; -import com.netscape.certsrv.policy.IGeneralNameUtil; -import com.netscape.certsrv.policy.IPolicyProcessor; -import com.netscape.certsrv.policy.ISubjAltNameConfig; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.request.PolicyResult; -import com.netscape.cms.policy.APolicyRule; - -/** - * Subject Alternative Name extension policy. - * - * Adds the subject alternative name extension as configured. - * - * Two forms are supported. 1) For S/MIME certificates, email - * addresses are copied from data stored in the request by the - * authentication component. Both 'e' and 'altEmail' are supported - * so that both the primary address and alternative forms may be - * certified. Only the primary goes in the subjectName position (which - * should be phased out). - * - * e - * mailAlternateAddress - * <P> - * - * <PRE> - * NOTE: The Policy Framework has been replaced by the Profile Framework. - * </PRE> - * <P> - * - * @deprecated - * @version $Revision$, $Date$ - */ -public class SubjectAltNameExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { - // (standard says SHOULD be marked critical if included.) - protected static final String PROP_CRITICAL = "critical"; - protected static final boolean DEF_CRITICAL = false; - - protected IConfigStore mConfig = null; - protected boolean mEnabled = false; - protected boolean mCritical = DEF_CRITICAL; - protected int mNumGNs = 0; - protected ISubjAltNameConfig[] mGNs = null; - - Vector<String> mInstanceParams = new Vector<String>(); - - // init default params and extended plugin info. - private static Vector<String> mDefParams = new Vector<String>(); - static { - // default params. - mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefParams.addElement( - IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + - IGeneralNameUtil.DEF_NUM_GENERALNAMES); - for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { - CMS.getSubjAltNameConfigDefaultParams( - IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); - } - } - - private String[] mExtendedPluginInfo = null; - - public SubjectAltNameExt() { - NAME = "SubjectAltNameExt"; - DESC = "Sets alternative subject names for certificates"; - } - - /** - * Initializes this policy rule. - * <P> - * - * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference - */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { - mConfig = config; - - // get criticality - mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); - - // get enabled - mEnabled = mConfig.getBoolean( - IPolicyProcessor.PROP_ENABLE, false); - - // get general names configuration. - mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); - if (mNumGNs <= 0) { - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", - IGeneralNameUtil.PROP_NUM_GENERALNAMES)); - } - mGNs = new ISubjAltNameConfig[mNumGNs]; - for (int i = 0; i < mNumGNs; i++) { - String name = IGeneralNameUtil.PROP_GENERALNAME + i; - IConfigStore substore = mConfig.getSubStore(name); - - mGNs[i] = CMS.createSubjAltNameConfig(name, substore, mEnabled); - } - - // init instance params. - mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement( - IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + mNumGNs); - for (int j = 0; j < mGNs.length; j++) { - mGNs[j].getInstanceParams(mInstanceParams); - } - } - - /** - * Adds the subject alternative names extension if not set already. - * - * <P> - * - * @param req The request on which to apply policy. - * @return The policy result object. - */ - public PolicyResult apply(IRequest req) { - PolicyResult res = PolicyResult.ACCEPTED; - - // Find the X509CertInfo object in the request - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - - if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - - return PolicyResult.REJECTED; // unrecoverable error. - } - - for (int i = 0; i < ci.length; i++) { - PolicyResult certRes = applyCert(req, ci[i]); - - if (certRes == PolicyResult.REJECTED) - return certRes; - } - return res; - } - - public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { - PolicyResult res = PolicyResult.ACCEPTED; - - try { - // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); - - // Remove any previously computed version of the extension - // unless it is from RA. If from RA, accept what RA put in - // request and don't add our own. - if (extensions != null) { - String sourceId = req.getSourceId(); - - if (sourceId != null && sourceId.length() > 0) - return res; // accepted - try { - extensions.delete(SubjectAlternativeNameExtension.NAME); - } catch (IOException e) { - // extension isn't there - } - } - - // form list of general names for the extension. - GeneralNames gns = new GeneralNames(); - - for (int i = 0; i < mNumGNs; i++) { - Object value = null; - - value = req.getExtDataInString(mGNs[i].getPfx(), mGNs[i].getAttr()); - if (value == null) { - continue; - } - Vector<GeneralName> gn = mGNs[i].formGeneralNames(value); - - if (gn.size() == 0) - continue; - for (Enumeration<GeneralName> n = gn.elements(); n.hasMoreElements();) { - gns.addElement(n.nextElement()); - } - } - - // nothing was found in request to put into extension - if (gns.size() == 0) - return res; // accepted - - String subject = certInfo.get(X509CertInfo.SUBJECT).toString(); - - boolean curCritical = mCritical; - - if (subject.equals("")) { - curCritical = true; - } - - // make the extension - SubjectAlternativeNameExtension sa = new SubjectAlternativeNameExtension(curCritical, gns); - - // add it to certInfo. - if (extensions == null) - extensions = createCertificateExtensions(certInfo); - - extensions.set(SubjectAlternativeNameExtension.NAME, sa); - - return res; // accepted. - - } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); - return PolicyResult.REJECTED; // unrecoverable error. - } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); - return PolicyResult.REJECTED; // unrecoverable error. - } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Internal Error"); - return PolicyResult.REJECTED; // unrecoverable error. - } - } - - /** - * Create a new SET of extensions in the certificate info - * object. - * - * This should be a method in the X509CertInfo object - */ - protected CertificateExtensions - createCertificateExtensions(X509CertInfo certInfo) - throws IOException, CertificateException { - CertificateExtensions extensions; - - // Force version to V3 - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); - - extensions = new CertificateExtensions(); - certInfo.set(X509CertInfo.EXTENSIONS, extensions); - - return extensions; - } - - /** - * Return configured parameters for a policy rule instance. - * - * @return nvPairs A Vector of name/value pairs. - */ - public Vector<String> getInstanceParams() { - return mInstanceParams; - } - - /** - * Return default parameters for a policy implementation. - * - * @return nvPairs A Vector of name/value pairs. - */ - public Vector<String> getDefaultParams() { - return mDefParams; - } - - public String[] getExtendedPluginInfo(Locale locale) { - - // extended plugin info. - Vector<String> info = new Vector<String>(); - - info.addElement(PROP_CRITICAL - + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical."); - info.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES_INFO); - for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { - CMS.getSubjAltNameConfigExtendedPluginInfo( - IGeneralNameUtil.PROP_GENERALNAME + i, info); - } - info.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-subjaltname"); - info.addElement(IExtendedPluginInfo.HELP_TEXT + - ";This policy inserts the Subject Alternative Name " + - "Extension into the certificate. See RFC 2459 (4.2.1.7). " + - "* Note: you probably want to use this policy in " + - "conjunction with an authentication manager which sets " + - "the 'mail' or 'mailalternateaddress' values in the authToken. " + - "See the 'ldapStringAttrs' parameter in the Directory-based " + - "authentication plugin"); - mExtendedPluginInfo = new String[info.size()]; - info.copyInto(mExtendedPluginInfo); - return mExtendedPluginInfo; - } - -} |