diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java')
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java | 174 |
1 files changed, 88 insertions, 86 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java index 5340c5c2e..7ff1a6c97 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -44,31 +45,33 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * Subject Alternative Name extension policy. - * + * * Adds the subject alternative name extension as configured. - * - * Two forms are supported. 1) For S/MIME certificates, email addresses are - * copied from data stored in the request by the authentication component. Both - * 'e' and 'altEmail' are supported so that both the primary address and - * alternative forms may be certified. Only the primary goes in the subjectName - * position (which should be phased out). - * - * e mailAlternateAddress + * + * Two forms are supported. 1) For S/MIME certificates, email + * addresses are copied from data stored in the request by the + * authentication component. Both 'e' and 'altEmail' are supported + * so that both the primary address and alternative forms may be + * certified. Only the primary goes in the subjectName position (which + * should be phased out). + * + * e + * mailAlternateAddress * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubjectAltNameExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { - // (standard says SHOULD be marked critical if included.) +public class SubjectAltNameExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { + // (standard says SHOULD be marked critical if included.) protected static final String PROP_CRITICAL = "critical"; protected static final boolean DEF_CRITICAL = false; @@ -85,11 +88,12 @@ public class SubjectAltNameExt extends APolicyRule implements static { // default params. mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefParams.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" - + IGeneralNameUtil.DEF_NUM_GENERALNAMES); + mDefParams.addElement( + IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + + IGeneralNameUtil.DEF_NUM_GENERALNAMES); for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { CMS.getSubjAltNameConfigDefaultParams( - IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); + IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); } } @@ -103,30 +107,31 @@ public class SubjectAltNameExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt + * ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // get criticality mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); // get enabled - mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); // get general names configuration. - mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); + mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); if (mNumGNs <= 0) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_MUST_BE_POSITIVE_NUMBER", - IGeneralNameUtil.PROP_NUM_GENERALNAMES)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", + IGeneralNameUtil.PROP_NUM_GENERALNAMES)); } mGNs = new ISubjAltNameConfig[mNumGNs]; for (int i = 0; i < mNumGNs; i++) { @@ -138,8 +143,8 @@ public class SubjectAltNameExt extends APolicyRule implements // init instance params. mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" - + mNumGNs); + mInstanceParams.addElement( + IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + mNumGNs); for (int j = 0; j < mGNs.length; j++) { mGNs[j].getInstanceParams(mInstanceParams); } @@ -147,20 +152,21 @@ public class SubjectAltNameExt extends APolicyRule implements /** * Adds the subject alternative names extension if not set already. - * + * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // Find the X509CertInfo object in the request - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -179,16 +185,16 @@ public class SubjectAltNameExt extends APolicyRule implements try { // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); // Remove any previously computed version of the extension - // unless it is from RA. If from RA, accept what RA put in + // unless it is from RA. If from RA, accept what RA put in // request and don't add our own. if (extensions != null) { String sourceId = req.getSourceId(); - if (sourceId != null && sourceId.length() > 0) + if (sourceId != null && sourceId.length() > 0) return res; // accepted try { extensions.delete(SubjectAlternativeNameExtension.NAME); @@ -203,8 +209,7 @@ public class SubjectAltNameExt extends APolicyRule implements for (int i = 0; i < mNumGNs; i++) { Object value = null; - value = req.getExtDataInString(mGNs[i].getPfx(), - mGNs[i].getAttr()); + value = req.getExtDataInString(mGNs[i].getPfx(), mGNs[i].getAttr()); if (value == null) { continue; } @@ -218,8 +223,8 @@ public class SubjectAltNameExt extends APolicyRule implements } // nothing was found in request to put into extension - if (gns.size() == 0) - return res; // accepted + if (gns.size() == 0) + return res; // accepted String subject = certInfo.get(X509CertInfo.SUBJECT).toString(); @@ -228,10 +233,10 @@ public class SubjectAltNameExt extends APolicyRule implements if (subject.equals("")) { curCritical = true; } - - // make the extension - SubjectAlternativeNameExtension sa = new SubjectAlternativeNameExtension( - curCritical, gns); + + // make the extension + SubjectAlternativeNameExtension + sa = new SubjectAlternativeNameExtension(curCritical, gns); // add it to certInfo. if (extensions == null) @@ -242,41 +247,38 @@ public class SubjectAltNameExt extends APolicyRule implements return res; // accepted. } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Internal Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Internal Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** - * Create a new SET of extensions in the certificate info object. - * + * Create a new SET of extensions in the certificate info + * object. + * * This should be a method in the X509CertInfo object */ - protected CertificateExtensions createCertificateExtensions( - X509CertInfo certInfo) throws IOException, CertificateException { + protected CertificateExtensions + createCertificateExtensions(X509CertInfo certInfo) + throws IOException, CertificateException { CertificateExtensions extensions; // Force version to V3 - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); @@ -286,19 +288,19 @@ public class SubjectAltNameExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } @@ -307,26 +309,26 @@ public class SubjectAltNameExt extends APolicyRule implements // extended plugin info. Vector info = new Vector(); - info.addElement(PROP_CRITICAL - + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical."); + info.addElement(PROP_CRITICAL + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical."); info.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES_INFO); for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { CMS.getSubjAltNameConfigExtendedPluginInfo( - IGeneralNameUtil.PROP_GENERALNAME + i, info); + IGeneralNameUtil.PROP_GENERALNAME + i, info); } - info.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-subjaltname"); - info.addElement(IExtendedPluginInfo.HELP_TEXT - + ";This policy inserts the Subject Alternative Name " - + "Extension into the certificate. See RFC 2459 (4.2.1.7). " - + "* Note: you probably want to use this policy in " - + "conjunction with an authentication manager which sets " - + "the 'mail' or 'mailalternateaddress' values in the authToken. " - + "See the 'ldapStringAttrs' parameter in the Directory-based " - + "authentication plugin"); + info.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subjaltname"); + info.addElement(IExtendedPluginInfo.HELP_TEXT + + ";This policy inserts the Subject Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.7). " + + "* Note: you probably want to use this policy in " + + "conjunction with an authentication manager which sets " + + "the 'mail' or 'mailalternateaddress' values in the authToken. " + + "See the 'ldapStringAttrs' parameter in the Directory-based " + + "authentication plugin"); mExtendedPluginInfo = new String[info.size()]; info.copyInto(mExtendedPluginInfo); return mExtendedPluginInfo; } } + |