diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java | 246 |
1 files changed, 125 insertions, 121 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java index 0c763b8aa..31aaa21a1 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -46,21 +45,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** - * Subject Public Key Extension Policy - * Adds the subject public key id extension to certificates. + * Subject Public Key Extension Policy Adds the subject public key id extension + * to certificates. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubjectKeyIdentifierExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { +public class SubjectKeyIdentifierExt extends APolicyRule implements + IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_KEYID_TYPE = "keyIdentifierType"; protected static final String PROP_REQATTR_NAME = "requestAttrName"; @@ -90,7 +89,7 @@ public class SubjectKeyIdentifierExt extends APolicyRule mDefaultParams.addElement(PROP_KEYID_TYPE + "=" + DEF_KEYID_TYPE); /* - mDefaultParams.addElement(PROP_REQATTR_NAME+"="+DEF_REQATTR_NAME); + * mDefaultParams.addElement(PROP_REQATTR_NAME+"="+DEF_REQATTR_NAME); */ } @@ -102,76 +101,74 @@ public class SubjectKeyIdentifierExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate= - * ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate= ca.Policy.rule.<ruleName>.implName= + * ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - mEnabled = mConfig.getBoolean( - IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); mKeyIdType = mConfig.getString(PROP_KEYID_TYPE, DEF_KEYID_TYPE); /* - mReqAttrName = mConfig.getString(PROP_REQATTR_NAME, DEF_REQATTR_NAME); + * mReqAttrName = mConfig.getString(PROP_REQATTR_NAME, + * DEF_REQATTR_NAME); */ // parse key id type - if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SHA1)) + if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SHA1)) mKeyIdType = KEYID_TYPE_SHA1; - else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_TYPEFIELD)) + else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_TYPEFIELD)) mKeyIdType = KEYID_TYPE_TYPEFIELD; - /* - else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_REQATTR) - mKeyIdType = KEYID_TYPE_REQATTR; - */ - else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SPKISHA1)) + /* + * else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_REQATTR) mKeyIdType = + * KEYID_TYPE_REQATTR; + */ + else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SPKISHA1)) mKeyIdType = KEYID_TYPE_SPKISHA1; else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("KRA_UNKNOWN_KEY_ID_TYPE", mKeyIdType)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - PROP_KEYID_TYPE, - "value must be one of " + - KEYID_TYPE_SHA1 + ", " + - KEYID_TYPE_TYPEFIELD + ", " + - KEYID_TYPE_SPKISHA1)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("KRA_UNKNOWN_KEY_ID_TYPE", mKeyIdType)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_KEYID_TYPE, "value must be one of " + + KEYID_TYPE_SHA1 + ", " + + KEYID_TYPE_TYPEFIELD + ", " + + KEYID_TYPE_SPKISHA1)); } - // form instance params + // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement(PROP_KEYID_TYPE + "=" + mKeyIdType); /* - mInstanceParams.addElement(PROP_REQATTR_NAME+"="+mReqAttrName); + * mInstanceParams.addElement(PROP_REQATTR_NAME+"="+mReqAttrName); */ } /** - * Adds Subject Key identifier Extension to a certificate. - * If the extension is already there, accept it. - * - * @param req The request on which to apply policy. + * Adds Subject Key identifier Extension to a certificate. If the extension + * is already there, accept it. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { // get certInfo from request. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -188,28 +185,28 @@ public class SubjectKeyIdentifierExt extends APolicyRule try { // if subject key id extension already exists, leave it if approved. SubjectKeyIdentifierExtension subjectKeyIdExt = null; - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { - subjectKeyIdExt = (SubjectKeyIdentifierExtension) - extensions.get(SubjectKeyIdentifierExtension.NAME); + subjectKeyIdExt = (SubjectKeyIdentifierExtension) extensions + .get(SubjectKeyIdentifierExtension.NAME); } } catch (IOException e) { - // extension isn't there. + // extension isn't there. } if (subjectKeyIdExt != null) { if (agentApproved(req)) { - CMS.debug( - "SubjectKeyIdentifierExt: agent approved request id " + req.getRequestId() + - " already has subject key id extension with value " + - subjectKeyIdExt); + CMS.debug("SubjectKeyIdentifierExt: agent approved request id " + + req.getRequestId() + + " already has subject key id extension with value " + + subjectKeyIdExt); return PolicyResult.ACCEPTED; } else { - CMS.debug( - "SubjectKeyIdentifierExt: request id from user " + req.getRequestId() + - " had subject key identifier - deleted to be replaced"); + CMS.debug("SubjectKeyIdentifierExt: request id from user " + + req.getRequestId() + + " had subject key identifier - deleted to be replaced"); extensions.delete(SubjectKeyIdentifierExtension.NAME); } } @@ -217,38 +214,40 @@ public class SubjectKeyIdentifierExt extends APolicyRule // create subject key id extension. KeyIdentifier keyId = null; - try { - keyId = formKeyIdentifier(certInfo, req); + try { + keyId = formKeyIdentifier(certInfo, req); } catch (EBaseException e) { setPolicyException(req, e); return PolicyResult.REJECTED; } - subjectKeyIdExt = - new SubjectKeyIdentifierExtension( - mCritical, keyId.getIdentifier()); + subjectKeyIdExt = new SubjectKeyIdentifierExtension(mCritical, + keyId.getIdentifier()); // add subject key id extension. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, new CertificateVersion( + CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } - extensions.set( - SubjectKeyIdentifierExtension.NAME, subjectKeyIdExt); - CMS.debug( - "SubjectKeyIdentifierExt: added subject key id ext to request " + req.getRequestId()); + extensions.set(SubjectKeyIdentifierExtension.NAME, subjectKeyIdExt); + CMS.debug("SubjectKeyIdentifierExt: added subject key id ext to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR,NAME", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR,NAME", + e.getMessage())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } @@ -256,12 +255,13 @@ public class SubjectKeyIdentifierExt extends APolicyRule /** * Form the Key Identifier in the Subject Key Identifier extension. * <p> + * * @param certInfo Certificate Info * @param req request * @return A Key Identifier. */ - protected KeyIdentifier formKeyIdentifier( - X509CertInfo certInfo, IRequest req) throws EBaseException { + protected KeyIdentifier formKeyIdentifier(X509CertInfo certInfo, + IRequest req) throws EBaseException { KeyIdentifier keyId = null; if (mKeyIdType == KEYID_TYPE_SHA1) { @@ -269,55 +269,62 @@ public class SubjectKeyIdentifierExt extends APolicyRule } else if (mKeyIdType == KEYID_TYPE_TYPEFIELD) { keyId = formTypeFieldKeyId(certInfo); } /* - else if (mKeyIdType == KEYID_TYPE_REQATTR) { - keyId = formReqAttrKeyId(certInfo, req); - } - */ else if (mKeyIdType == KEYID_TYPE_SPKISHA1) { + * else if (mKeyIdType == KEYID_TYPE_REQATTR) { keyId = + * formReqAttrKeyId(certInfo, req); } + */else if (mKeyIdType == KEYID_TYPE_SPKISHA1) { keyId = formSpkiSHA1KeyId(certInfo); } else { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - mKeyIdType, "Unknown Key Identifier type.")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTR_VALUE", mKeyIdType, + "Unknown Key Identifier type.")); } return keyId; } /** - * Form key identifier from a type field value of 0100 followed by - * the least significate 60 bits of the sha-1 hash of the subject - * public key BIT STRING in accordance with RFC 2459. + * Form key identifier from a type field value of 0100 followed by the least + * significate 60 bits of the sha-1 hash of the subject public key BIT + * STRING in accordance with RFC 2459. * <p> + * * @param certInfo - certificate info * @return A Key Identifier with value formulatd as described. */ protected KeyIdentifier formTypeFieldKeyId(X509CertInfo certInfo) - throws EBaseException { + throws EBaseException { KeyIdentifier keyId = null; X509Key key = null; try { - CertificateX509Key certKey = - (CertificateX509Key) certInfo.get(X509CertInfo.KEY); + CertificateX509Key certKey = (CertificateX509Key) certInfo + .get(X509CertInfo.KEY); if (certKey == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME)); - throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_MISSING_KEY", NAME)); } key = (X509Key) certKey.get(CertificateX509Key.KEY); if (key == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME)); - throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_MISSING_KEY", NAME)); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString())); - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", + e.toString())); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString())); - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", + e.toString())); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); } try { byte[] octetString = new byte[8]; @@ -330,50 +337,47 @@ public class SubjectKeyIdentifierExt extends APolicyRule octetString[0] &= (0x08f & octetString[0]); keyId = new KeyIdentifier(octetString); } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME)); - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); } return keyId; } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefaultParams; } /** - * Gets extended plugin info for pretty Console displays. + * Gets extended plugin info for pretty Console displays. */ public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST NOT be marked critical.", - PROP_KEYID_TYPE + ";" + - "choice(" + KEYID_TYPE_SHA1 + "," + - KEYID_TYPE_TYPEFIELD + "," + - KEYID_TYPE_SPKISHA1 + ");" + - "Method to derive the Key Identifier.", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-subjectkeyidentifier", - IExtendedPluginInfo.HELP_TEXT + - ";Adds the Subject Key Identifier extension. See RFC 2459 (4.2.1.2)" - }; + PROP_CRITICAL + + ";boolean;RFC 2459 recommendation: MUST NOT be marked critical.", + PROP_KEYID_TYPE + ";" + "choice(" + KEYID_TYPE_SHA1 + "," + + KEYID_TYPE_TYPEFIELD + "," + KEYID_TYPE_SPKISHA1 + + ");" + "Method to derive the Key Identifier.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subjectkeyidentifier", + IExtendedPluginInfo.HELP_TEXT + + ";Adds the Subject Key Identifier extension. See RFC 2459 (4.2.1.2)" }; return params; } } - |