diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java | 174 |
1 files changed, 86 insertions, 88 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java index 7ff1a6c97..5340c5c2e 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -45,33 +44,31 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Subject Alternative Name extension policy. - * + * * Adds the subject alternative name extension as configured. - * - * Two forms are supported. 1) For S/MIME certificates, email - * addresses are copied from data stored in the request by the - * authentication component. Both 'e' and 'altEmail' are supported - * so that both the primary address and alternative forms may be - * certified. Only the primary goes in the subjectName position (which - * should be phased out). - * - * e - * mailAlternateAddress + * + * Two forms are supported. 1) For S/MIME certificates, email addresses are + * copied from data stored in the request by the authentication component. Both + * 'e' and 'altEmail' are supported so that both the primary address and + * alternative forms may be certified. Only the primary goes in the subjectName + * position (which should be phased out). + * + * e mailAlternateAddress * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubjectAltNameExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { - // (standard says SHOULD be marked critical if included.) +public class SubjectAltNameExt extends APolicyRule implements + IEnrollmentPolicy, IExtendedPluginInfo { + // (standard says SHOULD be marked critical if included.) protected static final String PROP_CRITICAL = "critical"; protected static final boolean DEF_CRITICAL = false; @@ -88,12 +85,11 @@ public class SubjectAltNameExt extends APolicyRule static { // default params. mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefParams.addElement( - IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + - IGeneralNameUtil.DEF_NUM_GENERALNAMES); + mDefParams.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + + IGeneralNameUtil.DEF_NUM_GENERALNAMES); for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { CMS.getSubjAltNameConfigDefaultParams( - IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); + IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); } } @@ -107,31 +103,30 @@ public class SubjectAltNameExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt + * ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // get criticality mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); // get enabled - mEnabled = mConfig.getBoolean( - IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); // get general names configuration. - mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); + mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); if (mNumGNs <= 0) { - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", - IGeneralNameUtil.PROP_NUM_GENERALNAMES)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_MUST_BE_POSITIVE_NUMBER", + IGeneralNameUtil.PROP_NUM_GENERALNAMES)); } mGNs = new ISubjAltNameConfig[mNumGNs]; for (int i = 0; i < mNumGNs; i++) { @@ -143,8 +138,8 @@ public class SubjectAltNameExt extends APolicyRule // init instance params. mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement( - IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + mNumGNs); + mInstanceParams.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + + mNumGNs); for (int j = 0; j < mGNs.length; j++) { mGNs[j].getInstanceParams(mInstanceParams); } @@ -152,21 +147,20 @@ public class SubjectAltNameExt extends APolicyRule /** * Adds the subject alternative names extension if not set already. - * + * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // Find the X509CertInfo object in the request - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -185,16 +179,16 @@ public class SubjectAltNameExt extends APolicyRule try { // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); // Remove any previously computed version of the extension - // unless it is from RA. If from RA, accept what RA put in + // unless it is from RA. If from RA, accept what RA put in // request and don't add our own. if (extensions != null) { String sourceId = req.getSourceId(); - if (sourceId != null && sourceId.length() > 0) + if (sourceId != null && sourceId.length() > 0) return res; // accepted try { extensions.delete(SubjectAlternativeNameExtension.NAME); @@ -209,7 +203,8 @@ public class SubjectAltNameExt extends APolicyRule for (int i = 0; i < mNumGNs; i++) { Object value = null; - value = req.getExtDataInString(mGNs[i].getPfx(), mGNs[i].getAttr()); + value = req.getExtDataInString(mGNs[i].getPfx(), + mGNs[i].getAttr()); if (value == null) { continue; } @@ -223,8 +218,8 @@ public class SubjectAltNameExt extends APolicyRule } // nothing was found in request to put into extension - if (gns.size() == 0) - return res; // accepted + if (gns.size() == 0) + return res; // accepted String subject = certInfo.get(X509CertInfo.SUBJECT).toString(); @@ -233,10 +228,10 @@ public class SubjectAltNameExt extends APolicyRule if (subject.equals("")) { curCritical = true; } - - // make the extension - SubjectAlternativeNameExtension - sa = new SubjectAlternativeNameExtension(curCritical, gns); + + // make the extension + SubjectAlternativeNameExtension sa = new SubjectAlternativeNameExtension( + curCritical, gns); // add it to certInfo. if (extensions == null) @@ -247,38 +242,41 @@ public class SubjectAltNameExt extends APolicyRule return res; // accepted. } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Internal Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Internal Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** - * Create a new SET of extensions in the certificate info - * object. - * + * Create a new SET of extensions in the certificate info object. + * * This should be a method in the X509CertInfo object */ - protected CertificateExtensions - createCertificateExtensions(X509CertInfo certInfo) - throws IOException, CertificateException { + protected CertificateExtensions createCertificateExtensions( + X509CertInfo certInfo) throws IOException, CertificateException { CertificateExtensions extensions; // Force version to V3 - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, new CertificateVersion( + CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); @@ -288,19 +286,19 @@ public class SubjectAltNameExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } @@ -309,26 +307,26 @@ public class SubjectAltNameExt extends APolicyRule // extended plugin info. Vector info = new Vector(); - info.addElement(PROP_CRITICAL + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical."); + info.addElement(PROP_CRITICAL + + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical."); info.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES_INFO); for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { CMS.getSubjAltNameConfigExtendedPluginInfo( - IGeneralNameUtil.PROP_GENERALNAME + i, info); + IGeneralNameUtil.PROP_GENERALNAME + i, info); } - info.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-subjaltname"); - info.addElement(IExtendedPluginInfo.HELP_TEXT + - ";This policy inserts the Subject Alternative Name " + - "Extension into the certificate. See RFC 2459 (4.2.1.7). " + - "* Note: you probably want to use this policy in " + - "conjunction with an authentication manager which sets " + - "the 'mail' or 'mailalternateaddress' values in the authToken. " + - "See the 'ldapStringAttrs' parameter in the Directory-based " + - "authentication plugin"); + info.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subjaltname"); + info.addElement(IExtendedPluginInfo.HELP_TEXT + + ";This policy inserts the Subject Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.7). " + + "* Note: you probably want to use this policy in " + + "conjunction with an authentication manager which sets " + + "the 'mail' or 'mailalternateaddress' values in the authToken. " + + "See the 'ldapStringAttrs' parameter in the Directory-based " + + "authentication plugin"); mExtendedPluginInfo = new String[info.size()]; info.copyInto(mExtendedPluginInfo); return mExtendedPluginInfo; } } - |