diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions')
24 files changed, 1467 insertions, 1538 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java index b641d91ed..023d704fb 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -43,12 +42,11 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Authority Information Access extension policy. * If this policy is enabled, it adds an authority * information access extension to the certificate. - * + * * The following listed sample configuration parameters: * * ca.Policy.impl.AuthInfoAccess.class=com.netscape.certsrv.policy.AuthInfoAccessExt @@ -67,33 +65,34 @@ import com.netscape.cms.policy.APolicyRule; * ca.Policy.rule.aia.enable=true * ca.Policy.rule.aia.implName=AuthInfoAccess * ca.Policy.rule.aia.predicate= - * + * * Currently, this policy only supports the following location: - * uriName:[URI], dirName:[DN] + * uriName:[URI], dirName:[DN] * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class AuthInfoAccessExt extends APolicyRule implements +public class AuthInfoAccessExt extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = - "critical"; + "critical"; protected static final String PROP_AD = - "ad"; + "ad"; protected static final String PROP_METHOD = - "method"; + "method"; protected static final String PROP_LOCATION = - "location"; + "location"; protected static final String PROP_LOCATION_TYPE = - "location_type"; + "location_type"; protected static final String PROP_NUM_ADS = - "numADs"; + "numADs"; public static final int MAX_AD = 5; @@ -108,13 +107,13 @@ public class AuthInfoAccessExt extends APolicyRule implements Vector v = new Vector(); v.addElement(PROP_CRITICAL + - ";boolean;RFC 2459 recommendation: This extension MUST be non-critical."); + ";boolean;RFC 2459 recommendation: This extension MUST be non-critical."); v.addElement(PROP_NUM_ADS + - ";number;The total number of access descriptions."); + ";number;The total number of access descriptions."); v.addElement(IExtendedPluginInfo.HELP_TEXT + - ";Adds Authority Info Access Extension. Defined in RFC 2459 " + "(4.2.2.1)"); + ";Adds Authority Info Access Extension. Defined in RFC 2459 " + "(4.2.2.1)"); v.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-authinfoaccess"); + ";configuration-policyrules-authinfoaccess"); for (int i = 0; i < MAX_AD; i++) { v.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_METHOD + ";string;" + "A unique,valid OID specified in dot-separated numeric component notation. e.g. 1.3.6.1.5.5.7.48.1 (ocsp), 1.3.6.1.5.5.7.48.2 (caIssuers), 2.16.840.1.113730.1.16.1 (renewal)"); @@ -127,17 +126,15 @@ public class AuthInfoAccessExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.predicate= - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>.predicate= + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; } @@ -152,7 +149,7 @@ public class AuthInfoAccessExt extends APolicyRule implements // for (int i = 0;; i++) { ObjectIdentifier methodOID = null; - String method = mConfig.getString(PROP_AD + + String method = mConfig.getString(PROP_AD + Integer.toString(i) + "_" + PROP_METHOD, null); if (method == null) @@ -161,10 +158,10 @@ public class AuthInfoAccessExt extends APolicyRule implements if (method.equals("")) break; - // - // method ::= ocsp | caIssuers | <OID> - // OID ::= [object identifier] - // + // + // method ::= ocsp | caIssuers | <OID> + // OID ::= [object identifier] + // try { if (method.equalsIgnoreCase("ocsp")) { methodOID = ObjectIdentifier.getObjectIdentifier("1.3.6.1.5.5.7.48.1"); @@ -185,17 +182,17 @@ public class AuthInfoAccessExt extends APolicyRule implements // TAG ::= uriName | dirName // VALUE ::= [value defined by TAG] // - String location_type = mConfig.getString(PROP_AD + - Integer.toString(i) + + String location_type = mConfig.getString(PROP_AD + + Integer.toString(i) + "_" + PROP_LOCATION_TYPE, null); - String location = mConfig.getString(PROP_AD + - Integer.toString(i) + + String location = mConfig.getString(PROP_AD + + Integer.toString(i) + "_" + PROP_LOCATION, null); if (location == null) break; GeneralName gn = CMS.form_GeneralName(location_type, location); - Vector e = new Vector(); + Vector e = new Vector(); e.addElement(methodOID); e.addElement(gn); @@ -208,7 +205,7 @@ public class AuthInfoAccessExt extends APolicyRule implements * If this policy is enabled, add the authority information * access extension to the certificate. * <P> - * + * * @param req The request on which to apply policy. * @return The policy result object. */ @@ -220,7 +217,7 @@ public class AuthInfoAccessExt extends APolicyRule implements IRequest.CERT_INFO); if (ci == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } @@ -228,8 +225,8 @@ public class AuthInfoAccessExt extends APolicyRule implements certInfo = ci[j]; if (certInfo == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, "")); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, "")); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, "Configuration Info Error"), ""); return PolicyResult.REJECTED; // unrecoverable error. } @@ -237,19 +234,19 @@ public class AuthInfoAccessExt extends APolicyRule implements try { // Find the extensions in the certInfo CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); // add access descriptions Enumeration e = getAccessDescriptions(); if (!e.hasMoreElements()) { return res; - } - + } + if (extensions == null) { // create extension if not exist certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { @@ -262,9 +259,9 @@ public class AuthInfoAccessExt extends APolicyRule implements } // Create the extension - AuthInfoAccessExtension aiaExt = new - AuthInfoAccessExtension(mConfig.getBoolean( - PROP_CRITICAL, false)); + AuthInfoAccessExtension aiaExt = new + AuthInfoAccessExtension(mConfig.getBoolean( + PROP_CRITICAL, false)); while (e.hasMoreElements()) { Vector ad = (Vector) e.nextElement(); @@ -277,17 +274,17 @@ public class AuthInfoAccessExt extends APolicyRule implements } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage()), ""); return PolicyResult.REJECTED; // unrecoverable error. } catch (EBaseException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, "Configuration Info Error"), ""); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, "Certificate Info Error"), ""); return PolicyResult.REJECTED; // unrecoverable error. } @@ -298,15 +295,15 @@ public class AuthInfoAccessExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); try { - params.addElement(PROP_CRITICAL + "=" + - mConfig.getBoolean(PROP_CRITICAL, false)); + params.addElement(PROP_CRITICAL + "=" + + mConfig.getBoolean(PROP_CRITICAL, false)); } catch (EBaseException e) { params.addElement(PROP_CRITICAL + "=false"); } @@ -324,46 +321,46 @@ public class AuthInfoAccessExt extends APolicyRule implements String method = null; try { - method = mConfig.getString(PROP_AD + + method = mConfig.getString(PROP_AD + Integer.toString(i) + "_" + PROP_METHOD, ""); } catch (EBaseException e) { } - params.addElement(PROP_AD + - Integer.toString(i) + - "_" + PROP_METHOD + "=" + method); + params.addElement(PROP_AD + + Integer.toString(i) + + "_" + PROP_METHOD + "=" + method); String location_type = null; try { - location_type = mConfig.getString(PROP_AD + - Integer.toString(i) + "_" + PROP_LOCATION_TYPE, + location_type = mConfig.getString(PROP_AD + + Integer.toString(i) + "_" + PROP_LOCATION_TYPE, IGeneralNameUtil.GENNAME_CHOICE_URL); } catch (EBaseException e) { } - params.addElement(PROP_AD + - Integer.toString(i) + - "_" + PROP_LOCATION_TYPE + "=" + location_type); + params.addElement(PROP_AD + + Integer.toString(i) + + "_" + PROP_LOCATION_TYPE + "=" + location_type); String location = null; try { - location = mConfig.getString(PROP_AD + - Integer.toString(i) + "_" + PROP_LOCATION, + location = mConfig.getString(PROP_AD + + Integer.toString(i) + "_" + PROP_LOCATION, ""); } catch (EBaseException e) { } - params.addElement(PROP_AD + - Integer.toString(i) + - "_" + PROP_LOCATION + "=" + location); + params.addElement(PROP_AD + + Integer.toString(i) + + "_" + PROP_LOCATION + "=" + location); } return params; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); @@ -375,14 +372,13 @@ public class AuthInfoAccessExt extends APolicyRule implements // the CMS.cfg // for (int i = 0; i < MAX_AD; i++) { - defParams.addElement(PROP_AD + Integer.toString(i) + - "_" + PROP_METHOD + "="); - defParams.addElement(PROP_AD + Integer.toString(i) + - "_" + PROP_LOCATION_TYPE + "=" + IGeneralNameUtil.GENNAME_CHOICE_URL); - defParams.addElement(PROP_AD + Integer.toString(i) + - "_" + PROP_LOCATION + "="); + defParams.addElement(PROP_AD + Integer.toString(i) + + "_" + PROP_METHOD + "="); + defParams.addElement(PROP_AD + Integer.toString(i) + + "_" + PROP_LOCATION_TYPE + "=" + IGeneralNameUtil.GENNAME_CHOICE_URL); + defParams.addElement(PROP_AD + Integer.toString(i) + + "_" + PROP_LOCATION + "="); } return defParams; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java index 612d24925..94a1f19a7 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -45,21 +44,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Authority Public Key Extension Policy - * Adds the subject public key id extension to certificates. + * Adds the subject public key id extension to certificates. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class AuthorityKeyIdentifierExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_ALT_KEYID_TYPE = "AltKeyIdType"; @@ -98,27 +97,25 @@ public class AuthorityKeyIdentifierExt extends APolicyRule /** * Initializes this policy rule. - * Reads configuration file and creates a authority key identifier - * extension to add. Key identifier inside the extension is constructed as - * the CA's subject key identifier extension if it exists. - * If it does not exist this can be configured to use: - * (1) sha-1 hash of the CA's subject public key info - * (what communicator expects if the CA does not have a subject key + * Reads configuration file and creates a authority key identifier + * extension to add. Key identifier inside the extension is constructed as + * the CA's subject key identifier extension if it exists. + * If it does not exist this can be configured to use: + * (1) sha-1 hash of the CA's subject public key info + * (what communicator expects if the CA does not have a subject key * identifier extension) or (2) No extension set (3) Empty sequence * in Authority Key Identifier extension. - * + * * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate= - * ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate= ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; mEnabled = mConfig.getBoolean( @@ -131,44 +128,44 @@ public class AuthorityKeyIdentifierExt extends APolicyRule if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_SPKISHA1)) mAltKeyIdType = ALT_KEYID_TYPE_SPKISHA1; - /* - else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_EMPTY)) - mAltKeyIdType = ALT_KEYID_TYPE_EMPTY; - */ + /* + else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_EMPTY)) + mAltKeyIdType = ALT_KEYID_TYPE_EMPTY; + */ else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_NONE)) mAltKeyIdType = ALT_KEYID_TYPE_NONE; else { log(ILogger.LL_FAILURE, NAME + - CMS.getLogMessage("CA_UNKNOWN_ALT_KEY_ID_TYPE", mAltKeyIdType)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", PROP_ALT_KEYID_TYPE, + CMS.getLogMessage("CA_UNKNOWN_ALT_KEY_ID_TYPE", mAltKeyIdType)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", PROP_ALT_KEYID_TYPE, "value must be one of " + ALT_KEYID_TYPE_SPKISHA1 + ", " + ALT_KEYID_TYPE_NONE)); } // create authority key id extension. ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { // should never get here. String msg = NAME + ": " + - "Cannot find the Certificate Manager or Registration Manager"; + "Cannot find the Certificate Manager or Registration Manager"; log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); } if (!(certAuthority instanceof ICertificateAuthority)) { log(ILogger.LL_FAILURE, NAME + - CMS.getLogMessage("POLICY_INVALID_POLICY", NAME)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + CMS.getLogMessage("POLICY_INVALID_POLICY", NAME)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", NAME + " policy can only be used in a Certificate Authority.")); - } + } //CertificateChain caChain = certAuthority.getCACertChain(); //X509Certificate caCert = caChain.getFirstCertificate(); X509CertImpl caCert = certAuthority.getCACert(); - if( caCert == null || CMS.isPreOpMode() ) { + if (caCert == null || CMS.isPreOpMode()) { return; } - KeyIdentifier keyId = formKeyIdentifier(caCert); + KeyIdentifier keyId = formKeyIdentifier(caCert); if (keyId != null) { try { @@ -176,7 +173,7 @@ public class AuthorityKeyIdentifierExt extends APolicyRule mCritical, keyId, null, null); } catch (IOException e) { String msg = NAME + ": " + - "Error forming Authority Key Identifier extension: " + e; + "Error forming Authority Key Identifier extension: " + e; log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); @@ -191,26 +188,26 @@ public class AuthorityKeyIdentifierExt extends APolicyRule /** * Adds Authority Key Identifier Extension to a certificate. - * If the extension is already there, accept it if it's from the agent, + * If the extension is already there, accept it if it's from the agent, * else replace it. - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { // get certInfo from request. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { PolicyResult certResult = applyCert(req, ci[i]); - if (certResult == PolicyResult.REJECTED) + if (certResult == PolicyResult.REJECTED) return certResult; } return PolicyResult.ACCEPTED; @@ -223,7 +220,7 @@ public class AuthorityKeyIdentifierExt extends APolicyRule // from agent. else replace it. AuthorityKeyIdentifierExtension authorityKeyIdExt = null; CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { @@ -236,45 +233,45 @@ public class AuthorityKeyIdentifierExt extends APolicyRule if (authorityKeyIdExt != null) { if (agentApproved(req)) { CMS.debug( - "AuthorityKeyIdentifierKeyExt: agent approved request id " + req.getRequestId() + - " already has authority key id extension with value " + - authorityKeyIdExt); + "AuthorityKeyIdentifierKeyExt: agent approved request id " + req.getRequestId() + + " already has authority key id extension with value " + + authorityKeyIdExt); return PolicyResult.ACCEPTED; } else { CMS.debug( - "AuthorityKeyIdentifierKeyExt: request id from user " + req.getRequestId() + - " had authority key identifier - deleted"); + "AuthorityKeyIdentifierKeyExt: request id from user " + req.getRequestId() + + " had authority key identifier - deleted"); extensions.delete(AuthorityKeyIdentifierExtension.NAME); } } // if no authority key identifier should be set b/c CA does not // have a subject key identifier, return here. - if (mTheExtension == null) + if (mTheExtension == null) return PolicyResult.ACCEPTED; - // add authority key id extension. + // add authority key id extension. if (extensions == null) { certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } extensions.set( - AuthorityKeyIdentifierExtension.NAME, mTheExtension); + AuthorityKeyIdentifierExtension.NAME, mTheExtension); CMS.debug( - "AuthorityKeyIdentifierKeyExt: added authority key id ext to request " + req.getRequestId()); + "AuthorityKeyIdentifierKeyExt: added authority key id ext to request " + req.getRequestId()); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage()), ""); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_CERT", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INVALID_CERT", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, "Certificate Info Error"), ""); return PolicyResult.REJECTED; } @@ -284,12 +281,13 @@ public class AuthorityKeyIdentifierExt extends APolicyRule * Form the Key Identifier in the Authority Key Identifier extension. * from the CA's cert. * <p> + * * @param caCertImpl Certificate Info * @return A Key Identifier. * @throws com.netscape.certsrv.base.EBaseException on error */ protected KeyIdentifier formKeyIdentifier(X509CertImpl caCertImpl) - throws EBaseException { + throws EBaseException { KeyIdentifier keyId = null; // get CA's certInfo. @@ -298,50 +296,51 @@ public class AuthorityKeyIdentifierExt extends APolicyRule try { certInfo = (X509CertInfo) caCertImpl.get( X509CertImpl.NAME + "." + X509CertImpl.INFO); - if (certInfo == null) { + if (certInfo == null) { String msg = "Bad CA certificate encountered. " + - "TBS Certificate missing."; + "TBS Certificate missing."; log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_CERT_FORMAT")); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", NAME + ": " + msg)); } } catch (CertificateException e) { log(ILogger.LL_FAILURE, NAME + ": " + - CMS.getLogMessage("BASE_DECODE_CERT_FAILED_1", e.toString())); + CMS.getLogMessage("BASE_DECODE_CERT_FAILED_1", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", NAME + " Error decoding the CA Certificate: " + e)); } // get Key Id from CA's Subject Key Id extension in CA's CertInfo. keyId = getKeyIdentifier(certInfo); - if (keyId != null) + if (keyId != null) return keyId; - // if none exists use the configured alternate. + // if none exists use the configured alternate. if (mAltKeyIdType == ALT_KEYID_TYPE_SPKISHA1) { keyId = formSpkiSHA1KeyId(certInfo); } /* - else if (mAltKeyIdType == ALT_KEYID_TYPE_EMPTY) { - keyId = formEmptyKeyId(certInfo); - } - */ else if (mAltKeyIdType == ALT_KEYID_TYPE_NONE) { + else if (mAltKeyIdType == ALT_KEYID_TYPE_EMPTY) { + keyId = formEmptyKeyId(certInfo); + } + */else if (mAltKeyIdType == ALT_KEYID_TYPE_NONE) { keyId = null; } else { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - mAltKeyIdType, + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + mAltKeyIdType, "Unknown Alternate Key Identifier type.")); } return keyId; } /** - * Get the Key Identifier in a subject key identifier extension from a + * Get the Key Identifier in a subject key identifier extension from a * CertInfo. + * * @param certInfo the CertInfo structure. * @return Key Identifier in a Subject Key Identifier extension if any. */ - protected KeyIdentifier getKeyIdentifier(X509CertInfo certInfo) - throws EBaseException { + protected KeyIdentifier getKeyIdentifier(X509CertInfo certInfo) + throws EBaseException { CertificateExtensions exts = null; SubjectKeyIdentifierExtension subjKeyIdExt = null; KeyIdentifier keyId = null; @@ -357,7 +356,7 @@ public class AuthorityKeyIdentifierExt extends APolicyRule CMS.debug(NAME + ": " + "No extensions found. Error " + e); return null; } - if (exts == null) + if (exts == null) return null; try { @@ -366,7 +365,7 @@ public class AuthorityKeyIdentifierExt extends APolicyRule } catch (IOException e) { // extension isn't there. CMS.debug( - "AuthorityKeyIdentifierKeyExt: No Subject Key Identifier Extension found. Error: " + e); + "AuthorityKeyIdentifierKeyExt: No Subject Key Identifier Extension found. Error: " + e); return null; } if (subjKeyIdExt == null) @@ -378,7 +377,7 @@ public class AuthorityKeyIdentifierExt extends APolicyRule } catch (IOException e) { // no key identifier in subject key id extension. String msg = NAME + ": " + - "Bad Subject Key Identifier Extension found. Error: " + e; + "Bad Subject Key Identifier Extension found. Error: " + e; log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); @@ -388,40 +387,39 @@ public class AuthorityKeyIdentifierExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefaultParams; } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { PROP_CRITICAL + ";boolean;" + - "RFC 2459 recommendation: MUST NOT be marked critical.", + "RFC 2459 recommendation: MUST NOT be marked critical.", PROP_ALT_KEYID_TYPE + ";" + - "choice(" + ALT_KEYID_TYPE_SPKISHA1 + "," + ALT_KEYID_TYPE_NONE + ");" + - "Specifies whether to use a SHA1 hash of the CA's subject " + - "public key info for key identifier or leave out the " + - "authority key identifier extension if the CA certificate " + - "does not have a Subject Key Identifier extension.", + "choice(" + ALT_KEYID_TYPE_SPKISHA1 + "," + ALT_KEYID_TYPE_NONE + ");" + + "Specifies whether to use a SHA1 hash of the CA's subject " + + "public key info for key identifier or leave out the " + + "authority key identifier extension if the CA certificate " + + "does not have a Subject Key Identifier extension.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-authkeyid", + ";configuration-policyrules-authkeyid", IExtendedPluginInfo.HELP_TEXT + - ";Adds Authority Key Identifier Extension. " + - "See RFC 2459 (4.2.1.1)" + ";Adds Authority Key Identifier Extension. " + + "See RFC 2459 (4.2.1.1)" }; return params; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java index 4c2eb4643..545d972dc 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -47,48 +46,48 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Basic Constraints policy. * Adds the Basic constraints extension. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class BasicConstraintsExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_MAXPATHLEN = "maxPathLen"; protected static final String PROP_IS_CA = "isCA"; protected static final String PROP_IS_CRITICAL = "critical"; protected static final String ARG_PATHLEN = "BasicConstraintsPathLen"; - protected int mMaxPathLen = 0; // < 0 means unlimited + protected int mMaxPathLen = 0; // < 0 means unlimited protected String mOrigMaxPathLen = ""; // for UI display only protected boolean mCritical = true; - protected int mDefaultMaxPathLen = 0; // depends on the CA's path length. - protected int mCAPathLen = 0; + protected int mDefaultMaxPathLen = 0; // depends on the CA's path length. + protected int mCAPathLen = 0; protected boolean mRemoveExt = true; protected boolean mIsCA = true; public static final boolean DEFAULT_CRITICALITY = true; /** - * Adds the basic constraints extension as a critical extension in - * CA certificates i.e. certype is ca, with either a requested + * Adds the basic constraints extension as a critical extension in + * CA certificates i.e. certype is ca, with either a requested * or configured path len. - * The requested or configured path length cannot be greater than + * The requested or configured path length cannot be greater than * or equal to the CA's basic constraints path length. * If the CA path length is 0, all requests for CA certs are rejected. */ public BasicConstraintsExt() { NAME = "BasicConstraintsExt"; - DESC = + DESC = "Sets critical basic constraints extension in subordinate CA certs"; } @@ -96,33 +95,31 @@ public class BasicConstraintsExt extends APolicyRule * Initializes this policy rule. * <p> * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=BasicConstraintsExtImpl - * ca.Policy.rule.<ruleName>.pathLen=<n>, -1 for undefined. - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=BasicConstraintsExtImpl ca.Policy.rule.<ruleName>.pathLen=<n>, -1 for undefined. ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // get the CA's path len to check against configured max path len. ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { // should never get here. log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "Cannot find the Certificate Manager or Registration Manager")); } if (certAuthority instanceof IRegistrationAuthority) { - log(ILogger.LL_WARN, - "default basic constraints extension path len to -1."); + log(ILogger.LL_WARN, + "default basic constraints extension path len to -1."); mCAPathLen = -1; } else { CertificateChain caChain = certAuthority.getCACertChain(); - if( caChain == null || CMS.isPreOpMode() ) { + if (caChain == null || CMS.isPreOpMode()) { return; } X509Certificate caCert = caChain.getFirstCertificate(); @@ -132,14 +129,14 @@ public class BasicConstraintsExt extends APolicyRule // set default to one less than the CA's pathlen or 0 if CA's // pathlen is 0. // If it's unlimited default the max pathlen also to unlimited. - if (mCAPathLen < 0) + if (mCAPathLen < 0) mDefaultMaxPathLen = -1; - else if (mCAPathLen > 0) + else if (mCAPathLen > 0) mDefaultMaxPathLen = mCAPathLen - 1; else // (mCAPathLen == 0) { - log(ILogger.LL_WARN, - CMS.getLogMessage("POLICY_PATHLEN_ZERO")); + log(ILogger.LL_WARN, + CMS.getLogMessage("POLICY_PATHLEN_ZERO")); //return; } @@ -151,19 +148,19 @@ public class BasicConstraintsExt extends APolicyRule mIsCA = config.getBoolean(PROP_IS_CA, true); mMaxPathLen = config.getInteger(PROP_MAXPATHLEN); if (mMaxPathLen < 0) { - log(ILogger.LL_MISCONF, - CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN_4", "", - String.valueOf(mMaxPathLen))); + log(ILogger.LL_MISCONF, + CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN_4", "", + String.valueOf(mMaxPathLen))); throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_INVALID_MAXPATHLEN_1", - NAME, String.valueOf(mMaxPathLen))); + NAME, String.valueOf(mMaxPathLen))); } mOrigMaxPathLen = Integer.toString(mMaxPathLen); } catch (EBaseException e) { - if (!(e instanceof EPropertyNotFound) && - !(e instanceof EPropertyNotDefined)) { - log(ILogger.LL_MISCONF, - CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN")); + if (!(e instanceof EPropertyNotFound) && + !(e instanceof EPropertyNotDefined)) { + log(ILogger.LL_MISCONF, + CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN")); throw e; } @@ -179,49 +176,49 @@ public class BasicConstraintsExt extends APolicyRule // else maxPathlen must be at most one less than the CA's // pathlen or 0 if CA's pathlen is 0. - if (mCAPathLen > 0 && - (mMaxPathLen >= mCAPathLen || mMaxPathLen < 0)) { - String maxStr = (mMaxPathLen < 0) ? - String.valueOf(mMaxPathLen) + "(unlimited)" : - String.valueOf(mMaxPathLen); + if (mCAPathLen > 0 && + (mMaxPathLen >= mCAPathLen || mMaxPathLen < 0)) { + String maxStr = (mMaxPathLen < 0) ? + String.valueOf(mMaxPathLen) + "(unlimited)" : + String.valueOf(mMaxPathLen); - log(ILogger.LL_MISCONF, - CMS.getLogMessage("POLICY_MAXPATHLEN_TOO_BIG_3", "", - maxStr, - String.valueOf(mCAPathLen))); + log(ILogger.LL_MISCONF, + CMS.getLogMessage("POLICY_MAXPATHLEN_TOO_BIG_3", "", + maxStr, + String.valueOf(mCAPathLen))); throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_MAXPATHLEN_TOO_BIG_1", - NAME, maxStr, Integer.toString(mCAPathLen))); + NAME, maxStr, Integer.toString(mCAPathLen))); } else if (mCAPathLen == 0 && mMaxPathLen != 0) { - log(ILogger.LL_MISCONF, - CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN_2", "", String.valueOf(mMaxPathLen))); + log(ILogger.LL_MISCONF, + CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN_2", "", String.valueOf(mMaxPathLen))); throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_INVALID_MAXPATHLEN", - NAME, String.valueOf(mMaxPathLen))); + NAME, String.valueOf(mMaxPathLen))); } } } /** - * Checks if the basic contraints extension in certInfo is valid and + * Checks if the basic contraints extension in certInfo is valid and * add the basic constraints extension for CA certs if none exists. * Non-CA certs do not get a basic constraints extension. - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); X509CertInfo certInfo = null; if (ci == null || (certInfo = ci[0]) == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } @@ -229,24 +226,24 @@ public class BasicConstraintsExt extends APolicyRule boolean isCA = mIsCA; /** - boolean isCA = false; - String type = (String)req.get(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); - if (type != null && type.equalsIgnoreCase(IRequest.CA_CERT)) { - isCA = true; - } + * boolean isCA = false; + * String type = (String)req.get(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); + * if (type != null && type.equalsIgnoreCase(IRequest.CA_CERT)) { + * isCA = true; + * } **/ for (int i = 0; i < ci.length; i++) { PolicyResult certResult = applyCert(req, isCA, certInfo); - if (certResult == PolicyResult.REJECTED) + if (certResult == PolicyResult.REJECTED) return certResult; } return PolicyResult.ACCEPTED; } public PolicyResult applyCert( - IRequest req, boolean isCA, X509CertInfo certInfo) { + IRequest req, boolean isCA, X509CertInfo certInfo) { // get basic constraints extension from cert info if any. CertificateExtensions extensions = null; @@ -272,8 +269,8 @@ public class BasicConstraintsExt extends APolicyRule if (extensions == null) { try { // create extensions set if none. - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (CertificateException e) { @@ -293,21 +290,21 @@ public class BasicConstraintsExt extends APolicyRule try { critExt = new BasicConstraintsExtension(isCA, mCritical, mMaxPathLen); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2", - e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2", + e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } - + try { extensions.set(BasicConstraintsExtension.NAME, critExt); } catch (IOException e) { } CMS.debug( - "BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " + - req.getRequestId()); + "BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } @@ -318,29 +315,29 @@ public class BasicConstraintsExt extends APolicyRule if (mCAPathLen == 0) { // reject all subordinate CA cert requests because CA's // path length is 0. - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_NO_SUB_CA_CERTS_ALLOWED_1", NAME)); - setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED", NAME), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_NO_SUB_CA_CERTS_ALLOWED_1", NAME)); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED", NAME), ""); return PolicyResult.REJECTED; } - if (basicExt != null) { + if (basicExt != null) { try { - boolean extIsCA = - ((Boolean) basicExt.get(BasicConstraintsExtension.IS_CA)).booleanValue(); - int pathLen = - ((Integer) basicExt.get(BasicConstraintsExtension.PATH_LEN)).intValue(); + boolean extIsCA = + ((Boolean) basicExt.get(BasicConstraintsExtension.IS_CA)).booleanValue(); + int pathLen = + ((Integer) basicExt.get(BasicConstraintsExtension.PATH_LEN)).intValue(); if (mMaxPathLen > -1) { if (pathLen > mMaxPathLen || pathLen < 0) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_MAXPATHLEN_TOO_BIG_3", NAME, "unlimited", String.valueOf(pathLen))); - if (pathLen < 0) + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_MAXPATHLEN_TOO_BIG_3", NAME, "unlimited", String.valueOf(pathLen))); + if (pathLen < 0) setError(req, CMS.getUserMessage("CMS_POLICY_MAXPATHLEN_TOO_BIG", NAME, "unlimited", Integer.toString(mMaxPathLen)), ""); else setError(req, CMS.getUserMessage("CMS_POLICY_MAXPATHLEN_TOO_BIG", - NAME, Integer.toString(pathLen), + NAME, Integer.toString(pathLen), Integer.toString(mMaxPathLen)), ""); return PolicyResult.REJECTED; } @@ -348,20 +345,20 @@ public class BasicConstraintsExt extends APolicyRule // adjust isCA field if (!extIsCA) { - basicExt.set(BasicConstraintsExtension.IS_CA, - Boolean.valueOf(true)); + basicExt.set(BasicConstraintsExtension.IS_CA, + Boolean.valueOf(true)); } // adjust path length field. if (mMaxPathLen == 0) { if (pathLen != 0) { - basicExt.set(BasicConstraintsExtension.PATH_LEN, - Integer.valueOf(0)); + basicExt.set(BasicConstraintsExtension.PATH_LEN, + Integer.valueOf(0)); pathLen = 0; } } else if (mMaxPathLen > 0 && pathLen > mMaxPathLen) { - basicExt.set(BasicConstraintsExtension.PATH_LEN, - Integer.valueOf(mMaxPathLen)); + basicExt.set(BasicConstraintsExtension.PATH_LEN, + Integer.valueOf(mMaxPathLen)); pathLen = mMaxPathLen; } @@ -372,10 +369,10 @@ public class BasicConstraintsExt extends APolicyRule try { critExt = new BasicConstraintsExtension(isCA, mCritical, pathLen); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_1", NAME)); - setError(req, - CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_1", NAME)); + setError(req, + CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } extensions.delete(BasicConstraintsExtension.NAME); @@ -385,8 +382,8 @@ public class BasicConstraintsExt extends APolicyRule // not possible in these cases. } CMS.debug( - "BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " + - req.getRequestId()); + "BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } @@ -394,8 +391,8 @@ public class BasicConstraintsExt extends APolicyRule if (extensions == null) { try { // create extensions set if none. - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (CertificateException e) { @@ -413,29 +410,29 @@ public class BasicConstraintsExt extends APolicyRule if (reqPathLenStr == null) { reqPathLen = mMaxPathLen; } else { - try { - reqPathLen = Integer.parseInt(reqPathLenStr); + try { + reqPathLen = Integer.parseInt(reqPathLenStr); if ((mMaxPathLen == 0 && reqPathLen != 0) || - (mMaxPathLen > 0 && + (mMaxPathLen > 0 && (reqPathLen > mMaxPathLen || reqPathLen < 0))) { - String plenStr = - ((reqPathLen < 0) ? - reqPathLenStr + "(unlimited)" : reqPathLenStr); - - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_PATHLEN_TOO_BIG_3", plenStr, - String.valueOf(mMaxPathLen))); - setError(req, - CMS.getUserMessage("CMS_POLICY_PATHLEN_TOO_BIG", - NAME, plenStr, String.valueOf(mMaxPathLen)), ""); + String plenStr = + ((reqPathLen < 0) ? + reqPathLenStr + "(unlimited)" : reqPathLenStr); + + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_PATHLEN_TOO_BIG_3", plenStr, + String.valueOf(mMaxPathLen))); + setError(req, + CMS.getUserMessage("CMS_POLICY_PATHLEN_TOO_BIG", + NAME, plenStr, String.valueOf(mMaxPathLen)), ""); return PolicyResult.REJECTED; } } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_INVALID_PATHLEN_FORMAT_2", NAME, reqPathLenStr)); - setError(req, CMS.getUserMessage("CMS_POLICY_INVALID_PATHLEN_FORMAT", + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_INVALID_PATHLEN_FORMAT_2", NAME, reqPathLenStr)); + setError(req, CMS.getUserMessage("CMS_POLICY_INVALID_PATHLEN_FORMAT", NAME, reqPathLenStr), ""); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } } BasicConstraintsExtension newExt; @@ -443,29 +440,29 @@ public class BasicConstraintsExt extends APolicyRule try { newExt = new BasicConstraintsExtension(isCA, mCritical, reqPathLen); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2", e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2", e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } try { extensions.set(BasicConstraintsExtension.NAME, newExt); - }catch (IOException e) { + } catch (IOException e) { // doesn't happen. } CMS.debug( - "BasicConstraintsExt: added the extension to request " + - req.getRequestId()); + "BasicConstraintsExt: added the extension to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); // Because of one of the UI bugs 385273, we should leave the empty space @@ -478,10 +475,10 @@ public class BasicConstraintsExt extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_IS_CRITICAL + "=true"); @@ -494,17 +491,16 @@ public class BasicConstraintsExt extends APolicyRule String[] params = { PROP_MAXPATHLEN + ";number;'0' means : no subordinates allowed, 'n' means : at most n subordinates allowed.", PROP_IS_CRITICAL + ";boolean;" + - "RFC 2459 recommendation: MUST be critical in CA certs, SHOULD NOT appear in EE certs.", + "RFC 2459 recommendation: MUST be critical in CA certs, SHOULD NOT appear in EE certs.", PROP_IS_CA + ";boolean;" + - "Identifies the subject of the certificate is a CA or not.", + "Identifies the subject of the certificate is a CA or not.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-basicconstraints", + ";configuration-policyrules-basicconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Adds the Basic Constraints extension. See RFC 2459 (4.2.1.10)" + ";Adds the Basic Constraints extension. See RFC 2459 (4.2.1.10)" }; return params; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java index cec8051b8..cc8753cee 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Hashtable; @@ -50,18 +49,18 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * The type of the distribution point or issuer name. The name is expressed * as a simple string in the configuration file, so this attribute is needed * to tell whether the simple string should be stored in an X.500 Name, * a URL, or an RDN. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ @@ -69,7 +68,7 @@ class NameType { private NameType() { } // no default constructor - private String stringRep; // string representation of this type + private String stringRep; // string representation of this type private NameType(String s) { map.put(s, this); @@ -79,7 +78,7 @@ class NameType { private static Hashtable map = new Hashtable(); /** - * Looks up a NameType from its string representation. Returns null + * Looks up a NameType from its string representation. Returns null * if no matching NameType was found. */ public static NameType fromString(String s) { @@ -93,10 +92,9 @@ class NameType { public static final NameType DIRECTORY_NAME = new NameType("DirectoryName"); public static final NameType URI = new NameType("URI"); public static final NameType RELATIVE_TO_ISSUER = - new NameType("RelativeToIssuer"); + new NameType("RelativeToIssuer"); } - /** * These are the parameters that may be given in the configuration file * for each distribution point. They are parsed by DPParamsToDP(). @@ -124,13 +122,12 @@ class DistPointParams { } - /** * CRL Distribution Points policy. * Adds the CRL Distribution Points extension to the certificate. */ public class CRLDistributionPointsExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { public static final String PROP_IS_CRITICAL = "critical"; public static final String PROP_NUM_POINTS = "numPoints"; @@ -173,29 +170,29 @@ public class CRLDistributionPointsExt extends APolicyRule // should replace MAX_POINTS with mNumPoints if bug 385118 is fixed for (int i = 0; i < MAX_POINTS; i++) { v.addElement(PROP_POINT_TYPE + Integer.toString(i) + ";choice(" + - "DirectoryName,URI,RelativeToIssuer);" + - "The type of the CRL distribution point."); + "DirectoryName,URI,RelativeToIssuer);" + + "The type of the CRL distribution point."); v.addElement(PROP_POINT_NAME + Integer.toString(i) + ";string;" + - "The name of the CRL distribution point depending on the CRLDP type."); + "The name of the CRL distribution point depending on the CRLDP type."); v.addElement(PROP_REASONS + Integer.toString(i) + ";string;" + - "The revocation reasons for the CRL maintained at this distribution point. It's a comma-seperated list of the following constants: unused, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold."); + "The revocation reasons for the CRL maintained at this distribution point. It's a comma-seperated list of the following constants: unused, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold."); v.addElement(PROP_ISSUER_TYPE + Integer.toString(i) + ";choice(" + - "DirectoryName,URI);" + - "The type of the issuer that has signed the CRL maintained at this distribution point."); + "DirectoryName,URI);" + + "The type of the issuer that has signed the CRL maintained at this distribution point."); v.addElement(PROP_ISSUER_NAME + Integer.toString(i) + ";string;" + - "The name of the issuer that has signed the CRL maintained at this distribution point. The value depends on the issuer type."); + "The name of the issuer that has signed the CRL maintained at this distribution point. The value depends on the issuer type."); } v.addElement(PROP_NUM_POINTS + - ";number;The total number of CRL distribution points to be contained or allowed in the extension."); + ";number;The total number of CRL distribution points to be contained or allowed in the extension."); v.addElement(PROP_IS_CRITICAL + - ";boolean;RFC 2459 recommendation: SHOULD be non-critical. But recommends support for this extension by CAs and applications."); + ";boolean;RFC 2459 recommendation: SHOULD be non-critical. But recommends support for this extension by CAs and applications."); v.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-crldistributionpoints"); + ";configuration-policyrules-crldistributionpoints"); v.addElement(IExtendedPluginInfo.HELP_TEXT + - ";This policy inserts the CRL Distribution Points " + - "Extension into the certificate. See RFC 2459 (4.2.1.14). " - ); + ";This policy inserts the CRL Distribution Points " + + "Extension into the certificate. See RFC 2459 (4.2.1.14). " + ); mExtParams = com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } @@ -212,13 +209,13 @@ public class CRLDistributionPointsExt extends APolicyRule * Performs one-time initialization of the policy. */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // Register the CRL Distribution Points extension. try { netscape.security.x509.OIDMap.addAttribute( - CRLDistributionPointsExtension.class.getName(), - CRLDistributionPointsExtension.OID, - CRLDistributionPointsExtension.NAME); + CRLDistributionPointsExtension.class.getName(), + CRLDistributionPointsExtension.OID, + CRLDistributionPointsExtension.NAME); } catch (CertificateException e) { // ignore, just means it has already been added } @@ -273,7 +270,7 @@ public class CRLDistributionPointsExt extends APolicyRule * actual CRL Distribution Point object. */ private CRLDistributionPoint DPParamsToDP(DistPointParams params) - throws EBaseException { + throws EBaseException { CRLDistributionPoint crlDP = new CRLDistributionPoint(); try { @@ -337,14 +334,14 @@ public class CRLDistributionPointsExt extends APolicyRule if (r == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_REASON", s)); - throw new EBaseException("Unknown reason: " + s); + throw new EBaseException("Unknown reason: " + s); } else { reasonBits |= r.getBitMask(); } } if (reasonBits != 0) { BitArray ba = new BitArray(8, new byte[] { reasonBits } - ); + ); crlDP.setReasons(ba); } @@ -421,15 +418,15 @@ public class CRLDistributionPointsExt extends APolicyRule try { // find the extensions in the certInfo CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); // prepare the extensions data structure if (extensions == null) { certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { // remove any previously computed version of the extension @@ -446,13 +443,13 @@ public class CRLDistributionPointsExt extends APolicyRule } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, - e.getMessage()); + e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, - e.getMessage()); + e.getMessage()); return PolicyResult.REJECTED; } } @@ -471,7 +468,7 @@ public class CRLDistributionPointsExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java index 4490b25ee..7a42cc6f1 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -50,21 +49,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Certificate Policies. * Adds certificate policies extension. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class CertificatePoliciesExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_NUM_CERTPOLICIES = "numCertPolicies"; @@ -91,17 +90,15 @@ public class CertificatePoliciesExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate=certType==ca - * ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate=certType==ca ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; mEnabled = mConfig.getBoolean( @@ -126,7 +123,7 @@ public class CertificatePoliciesExt extends APolicyRule mCertPolicies[i] = new CertPolicy(subtreeName, mConfig, mEnabled); } catch (EBaseException e) { log(ILogger.LL_FAILURE, NAME + ": " + - CMS.getLogMessage("POLICY_ERROR_CREATE_CERT_POLICY", e.toString())); + CMS.getLogMessage("POLICY_ERROR_CREATE_CERT_POLICY", e.toString())); throw e; } } @@ -138,21 +135,21 @@ public class CertificatePoliciesExt extends APolicyRule for (int j = 0; j < mNumCertPolicies; j++) { CertPolicies.addElement( - mCertPolicies[j].mCertificatePolicyInfo); + mCertPolicies[j].mCertificatePolicyInfo); } - mCertificatePoliciesExtension = + mCertificatePoliciesExtension = new CertificatePoliciesExtension(mCritical, CertPolicies); } catch (IOException e) { throw new EBaseException( CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Error initializing " + NAME + " Error: " + e)); + "Error initializing " + NAME + " Error: " + e)); } } // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement( - PROP_NUM_CERTPOLICIES + "=" + mNumCertPolicies); + PROP_NUM_CERTPOLICIES + "=" + mNumCertPolicies); for (int i = 0; i < mNumCertPolicies; i++) { mCertPolicies[i].getInstanceParams(mInstanceParams); } @@ -161,19 +158,19 @@ public class CertificatePoliciesExt extends APolicyRule /** * Applies the policy on the given Request. * <p> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { // get certInfo from request. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -194,8 +191,8 @@ public class CertificatePoliciesExt extends APolicyRule if (extensions == null) { extensions = new CertificateExtensions(); try { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (Exception e) { } @@ -213,24 +210,24 @@ public class CertificatePoliciesExt extends APolicyRule } } extensions.set(CertificatePoliciesExtension.NAME, - mCertificatePoliciesExtension); + mCertificatePoliciesExtension); } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", e.toString())); setError(req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", e.toString())); setError(req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } catch (Exception e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", e.toString())); setError(req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } return PolicyResult.ACCEPTED; @@ -238,51 +235,51 @@ public class CertificatePoliciesExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** - * Default config parameters. - * To add more permitted or excluded subtrees, - * increase the num to greater than 0 and more configuration params + * Default config parameters. + * To add more permitted or excluded subtrees, + * increase the num to greater than 0 and more configuration params * will show up in the console. */ private static Vector mDefParams = new Vector(); static { mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); mDefParams.addElement( - PROP_NUM_CERTPOLICIES + "=" + DEF_NUM_CERTPOLICIES); + PROP_NUM_CERTPOLICIES + "=" + DEF_NUM_CERTPOLICIES); String certPolicy0Dot = PROP_CERTPOLICY + "0."; mDefParams.addElement( - certPolicy0Dot + CertPolicy.PROP_POLICY_IDENTIFIER + "=" + ""); + certPolicy0Dot + CertPolicy.PROP_POLICY_IDENTIFIER + "=" + ""); mDefParams.addElement( - certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_ORG + "=" + ""); + certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_ORG + "=" + ""); mDefParams.addElement( - certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_NUMS + "=" + ""); + certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_NUMS + "=" + ""); mDefParams.addElement( - certPolicy0Dot + CertPolicy.PROP_USER_NOTICE_TEXT + "=" + ""); + certPolicy0Dot + CertPolicy.PROP_USER_NOTICE_TEXT + "=" + ""); mDefParams.addElement( - certPolicy0Dot + CertPolicy.PROP_CPS_URI + "=" + ""); + certPolicy0Dot + CertPolicy.PROP_CPS_URI + "=" + ""); } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } public String[] getExtendedPluginInfo(Locale locale) { Vector theparams = new Vector(); - + theparams.addElement(PROP_CRITICAL + ";boolean;RFC 3280 recommendation: MUST be non-critical."); theparams.addElement(PROP_NUM_CERTPOLICIES + ";number; Number of certificate policies. The value must be greater than or equal to 1"); @@ -290,22 +287,22 @@ public class CertificatePoliciesExt extends APolicyRule String certPolicykDot = PROP_CERTPOLICY + k + "."; theparams.addElement(certPolicykDot + - CertPolicy.PROP_POLICY_IDENTIFIER + ";string,required;An object identifier in the form n.n.n.n"); + CertPolicy.PROP_POLICY_IDENTIFIER + ";string,required;An object identifier in the form n.n.n.n"); theparams.addElement(certPolicykDot + - CertPolicy.PROP_NOTICE_REF_ORG + ";string;See RFC 3280 sec 4.2.1.5"); + CertPolicy.PROP_NOTICE_REF_ORG + ";string;See RFC 3280 sec 4.2.1.5"); theparams.addElement(certPolicykDot + - CertPolicy.PROP_NOTICE_REF_NUMS + - ";string;comma-separated list of numbers. See RFC 3280 sec 4.2.1.5"); + CertPolicy.PROP_NOTICE_REF_NUMS + + ";string;comma-separated list of numbers. See RFC 3280 sec 4.2.1.5"); theparams.addElement(certPolicykDot + - CertPolicy.PROP_USER_NOTICE_TEXT + ";string;See RFC 3280 sec 4.2.1.5"); + CertPolicy.PROP_USER_NOTICE_TEXT + ";string;See RFC 3280 sec 4.2.1.5"); theparams.addElement(certPolicykDot + - CertPolicy.PROP_CPS_URI + ";string;See RFC 3280 sec 4.2.1.5"); + CertPolicy.PROP_CPS_URI + ";string;See RFC 3280 sec 4.2.1.5"); } theparams.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-certificatepolicies"); + ";configuration-policyrules-certificatepolicies"); theparams.addElement(IExtendedPluginInfo.HELP_TEXT + - ";Adds Certificate Policies Extension. See RFC 3280 (4.2.1.5)"); + ";Adds Certificate Policies Extension. See RFC 3280 (4.2.1.5)"); String[] params = new String[theparams.size()]; @@ -314,7 +311,6 @@ public class CertificatePoliciesExt extends APolicyRule } } - class CertPolicy { protected static final String PROP_POLICY_IDENTIFIER = "policyId"; @@ -337,34 +333,35 @@ class CertPolicy { /** * forms policy map parameters. + * * @param name name of this policy map, for example certPolicy0 * @param config parent's config from where we find this configuration. * @param enabled whether policy was enabled. */ - protected CertPolicy(String name, IConfigStore config, boolean enabled) - throws EBaseException { + protected CertPolicy(String name, IConfigStore config, boolean enabled) + throws EBaseException { mName = name; mConfig = config.getSubStore(mName); mNameDot = mName + "."; - if( mConfig == null ) { - CMS.debug( "CertificatePoliciesExt::CertPolicy - mConfig is " + - "null!" ); - throw new EBaseException( "mConfig is null" ); + if (mConfig == null) { + CMS.debug("CertificatePoliciesExt::CertPolicy - mConfig is " + + "null!"); + throw new EBaseException("mConfig is null"); } // if there's no configuration for this policy put it there. if (mConfig.size() == 0) { - config.putString(mNameDot + PROP_POLICY_IDENTIFIER, ""); - config.putString(mNameDot + PROP_NOTICE_REF_ORG, ""); - config.putString(mNameDot + PROP_NOTICE_REF_NUMS, ""); - config.putString(mNameDot + PROP_USER_NOTICE_TEXT, ""); - config.putString(mNameDot + PROP_CPS_URI, ""); + config.putString(mNameDot + PROP_POLICY_IDENTIFIER, ""); + config.putString(mNameDot + PROP_NOTICE_REF_ORG, ""); + config.putString(mNameDot + PROP_NOTICE_REF_NUMS, ""); + config.putString(mNameDot + PROP_USER_NOTICE_TEXT, ""); + config.putString(mNameDot + PROP_CPS_URI, ""); mConfig = config.getSubStore(mName); - if(mConfig == null || mConfig.size() == 0) { - CMS.debug( "CertificatePoliciesExt::CertPolicy - mConfig " + - "is null or empty!" ); - throw new EBaseException( "mConfig is null or empty" ); + if (mConfig == null || mConfig.size() == 0) { + CMS.debug("CertificatePoliciesExt::CertPolicy - mConfig " + + "is null or empty!"); + throw new EBaseException("mConfig is null or empty"); } } @@ -376,28 +373,28 @@ class CertPolicy { mCpsUri = mConfig.getString(PROP_CPS_URI, null); // adjust for "" and console returning "null" - if (mPolicyId != null && - (mPolicyId.length() == 0 || + if (mPolicyId != null && + (mPolicyId.length() == 0 || mPolicyId.equals("null"))) { mPolicyId = null; } - if (mNoticeRefOrg != null && - (mNoticeRefOrg.length() == 0 || + if (mNoticeRefOrg != null && + (mNoticeRefOrg.length() == 0 || mNoticeRefOrg.equals("null"))) { mNoticeRefOrg = null; } - if (mNoticeRefNums != null && - (mNoticeRefNums.length() == 0 || + if (mNoticeRefNums != null && + (mNoticeRefNums.length() == 0 || mNoticeRefNums.equals("null"))) { mNoticeRefNums = null; } - if (mNoticeRefExplicitText != null && - (mNoticeRefExplicitText.length() == 0 || + if (mNoticeRefExplicitText != null && + (mNoticeRefExplicitText.length() == 0 || mNoticeRefExplicitText.equals("null"))) { mNoticeRefExplicitText = null; } - if (mCpsUri != null && - (mCpsUri.length() == 0 || + if (mCpsUri != null && + (mCpsUri.length() == 0 || mCpsUri.equals("null"))) { mCpsUri = null; } @@ -405,42 +402,43 @@ class CertPolicy { // policy ids cannot be null if policy is enabled. String msg = "value cannot be null."; - if (mPolicyId == null && enabled) + if (mPolicyId == null && enabled) throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", mNameDot + PROP_POLICY_IDENTIFIER, msg)); msg = "NoticeReference is optional; If chosen to include, NoticeReference must at least has 'organization'"; - if (mNoticeRefOrg == null && mNoticeRefNums != null && enabled) + if (mNoticeRefOrg == null && mNoticeRefNums != null && enabled) throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", mNameDot + PROP_NOTICE_REF_ORG, msg)); - - // if a policy id is not null check that it is a valid OID. + + // if a policy id is not null check that it is a valid OID. ObjectIdentifier policyId = null; - if (mPolicyId != null) + if (mPolicyId != null) policyId = CMS.checkOID( mNameDot + PROP_POLICY_IDENTIFIER, mPolicyId); - - // if enabled, form CertificatePolicyInfo to be encoded in - // extension. Policy ids should be all set. + + // if enabled, form CertificatePolicyInfo to be encoded in + // extension. Policy ids should be all set. if (enabled) { - CMS.debug("CertPolicy: in CertPolicy"); + CMS.debug("CertPolicy: in CertPolicy"); DisplayText displayText = null; - if (mNoticeRefExplicitText != null && - !mNoticeRefExplicitText.equals("")) + if (mNoticeRefExplicitText != null && + !mNoticeRefExplicitText.equals("")) displayText = new DisplayText(DisplayText.tag_VisibleString, mNoticeRefExplicitText); - // new DisplayText(DisplayText.tag_IA5String, mNoticeRefExplicitText); + // new DisplayText(DisplayText.tag_IA5String, mNoticeRefExplicitText); DisplayText orgName = null; - if (mNoticeRefOrg != null && - !mNoticeRefOrg.equals("")) + if (mNoticeRefOrg != null && + !mNoticeRefOrg.equals("")) orgName = new DisplayText(DisplayText.tag_VisibleString, mNoticeRefOrg); - // new DisplayText(DisplayText.tag_VisibleString, mNoticeRefOrg); + // new DisplayText(DisplayText.tag_VisibleString, mNoticeRefOrg); - int[] nums = new int[0];; - if (mNoticeRefNums != null && - !mNoticeRefNums.equals("")) { + int[] nums = new int[0]; + ; + if (mNoticeRefNums != null && + !mNoticeRefNums.equals("")) { // should add a method to NoticeReference to take a // Vector...but let's do this for now @@ -468,24 +466,23 @@ class CertPolicy { try { cpolicyId = new CertificatePolicyId(ObjectIdentifier.getObjectIdentifier(mPolicyId)); } catch (Exception e) { - throw new - EBaseException(CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR", mPolicyId)); + throw new EBaseException(CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR", mPolicyId)); } PolicyQualifiers policyQualifiers = new PolicyQualifiers(); - + NoticeReference noticeReference = null; - + if (orgName != null) noticeReference = new NoticeReference(orgName, nums); UserNotice userNotice = null; if (displayText != null || noticeReference != null) { - userNotice = new UserNotice (noticeReference, displayText); - + userNotice = new UserNotice(noticeReference, displayText); + PolicyQualifierInfo policyQualifierInfo1 = - new PolicyQualifierInfo(PolicyQualifierInfo.QT_UNOTICE, userNotice); + new PolicyQualifierInfo(PolicyQualifierInfo.QT_UNOTICE, userNotice); policyQualifiers.add(policyQualifierInfo1); } @@ -493,25 +490,25 @@ class CertPolicy { CPSuri cpsUri = null; if (mCpsUri != null && mCpsUri.length() > 0) { - cpsUri = new CPSuri (mCpsUri); + cpsUri = new CPSuri(mCpsUri); PolicyQualifierInfo policyQualifierInfo2 = - new PolicyQualifierInfo(PolicyQualifierInfo.QT_CPS, cpsUri); - + new PolicyQualifierInfo(PolicyQualifierInfo.QT_CPS, cpsUri); + policyQualifiers.add(policyQualifierInfo2); } if ((mNoticeRefOrg == null || mNoticeRefOrg.equals("")) && - (mNoticeRefExplicitText == null || mNoticeRefExplicitText.equals("")) && - (mCpsUri == null || mCpsUri.equals(""))) { - CMS.debug("CertPolicy mNoticeRefOrg = "+mNoticeRefOrg); - CMS.debug("CertPolicy mNoticeRefExplicitText = "+mNoticeRefExplicitText); - CMS.debug("CertPolicy mCpsUri = "+mCpsUri); + (mNoticeRefExplicitText == null || mNoticeRefExplicitText.equals("")) && + (mCpsUri == null || mCpsUri.equals(""))) { + CMS.debug("CertPolicy mNoticeRefOrg = " + mNoticeRefOrg); + CMS.debug("CertPolicy mNoticeRefExplicitText = " + mNoticeRefExplicitText); + CMS.debug("CertPolicy mCpsUri = " + mCpsUri); mCertificatePolicyInfo = new CertificatePolicyInfo(cpolicyId); } else { - CMS.debug("CertPolicy mNoticeRefOrg = "+mNoticeRefOrg); - CMS.debug("CertPolicy mNoticeRefExplicitText = "+mNoticeRefExplicitText); - CMS.debug("CertPolicy mCpsUri = "+mCpsUri); + CMS.debug("CertPolicy mNoticeRefOrg = " + mNoticeRefOrg); + CMS.debug("CertPolicy mNoticeRefExplicitText = " + mNoticeRefExplicitText); + CMS.debug("CertPolicy mCpsUri = " + mCpsUri); mCertificatePolicyInfo = new CertificatePolicyInfo(cpolicyId, policyQualifiers); } } @@ -519,20 +516,19 @@ class CertPolicy { protected void getInstanceParams(Vector instanceParams) { instanceParams.addElement( - mNameDot + PROP_POLICY_IDENTIFIER + "=" + (mPolicyId == null ? "" : - mPolicyId)); + mNameDot + PROP_POLICY_IDENTIFIER + "=" + (mPolicyId == null ? "" : + mPolicyId)); instanceParams.addElement( - mNameDot + PROP_NOTICE_REF_ORG + "=" + (mNoticeRefOrg == null ? "" : - mNoticeRefOrg)); + mNameDot + PROP_NOTICE_REF_ORG + "=" + (mNoticeRefOrg == null ? "" : + mNoticeRefOrg)); instanceParams.addElement( - mNameDot + PROP_NOTICE_REF_NUMS + "=" + (mNoticeRefNums == null ? "" : - mNoticeRefNums)); + mNameDot + PROP_NOTICE_REF_NUMS + "=" + (mNoticeRefNums == null ? "" : + mNoticeRefNums)); instanceParams.addElement( - mNameDot + PROP_USER_NOTICE_TEXT + "=" + (mNoticeRefExplicitText == null ? "" : - mNoticeRefExplicitText)); + mNameDot + PROP_USER_NOTICE_TEXT + "=" + (mNoticeRefExplicitText == null ? "" : + mNoticeRefExplicitText)); instanceParams.addElement( - mNameDot + PROP_CPS_URI + "=" + (mCpsUri == null ? "" : - mCpsUri)); + mNameDot + PROP_CPS_URI + "=" + (mCpsUri == null ? "" : + mCpsUri)); } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java index c5a24d630..37a11343b 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Date; @@ -40,20 +39,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Certificate Renewal Window Extension Policy * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class CertificateRenewalWindowExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_END_TIME = "relativeEndTime"; protected static final String PROP_BEGIN_TIME = "relativeBeginTime"; @@ -64,7 +63,7 @@ public class CertificateRenewalWindowExt extends APolicyRule protected String mEndTime; /** - * Adds the Netscape comment in the end-entity certificates or + * Adds the Netscape comment in the end-entity certificates or * CA certificates. The policy is set to be non-critical with the * provided OID. */ @@ -75,11 +74,11 @@ public class CertificateRenewalWindowExt extends APolicyRule /** * Initializes this policy rule. - * - * @param config The config store reference + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mCritical = config.getBoolean(PROP_CRITICAL, false); mBeginTime = config.getString(PROP_BEGIN_TIME, null); mEndTime = config.getString(PROP_END_TIME, null); @@ -89,16 +88,16 @@ public class CertificateRenewalWindowExt extends APolicyRule /** * Applies the policy on the given Request. * <p> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -128,8 +127,8 @@ public class CertificateRenewalWindowExt extends APolicyRule if (extensions == null) { extensions = new CertificateExtensions(); try { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (Exception e) { } @@ -137,7 +136,7 @@ public class CertificateRenewalWindowExt extends APolicyRule // remove any previously computed version of the extension try { extensions.delete(CertificateRenewalWindowExtension.NAME); - + } catch (IOException e) { // this is the hack: for some reason, the key which is the name // of the policy has been converted into the OID @@ -154,22 +153,22 @@ public class CertificateRenewalWindowExt extends APolicyRule if (mEndTime == null || mEndTime.equals("")) { crwExt = new CertificateRenewalWindowExtension( - mCritical, + mCritical, getDateValue(now, mBeginTime), null); } else { crwExt = new CertificateRenewalWindowExtension( - mCritical, + mCritical, getDateValue(now, mBeginTime), getDateValue(now, mEndTime)); } - extensions.set(CertificateRenewalWindowExtension.NAME, - crwExt); + extensions.set(CertificateRenewalWindowExtension.NAME, + crwExt); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME)); + CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME)); setError(req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } return PolicyResult.ACCEPTED; @@ -179,13 +178,13 @@ public class CertificateRenewalWindowExt extends APolicyRule long time; if (s.endsWith("s")) { - time = 1000 * Long.parseLong(s.substring(0, + time = 1000 * Long.parseLong(s.substring(0, s.length() - 1)); } else if (s.endsWith("m")) { - time = 60 * 1000 * Long.parseLong(s.substring(0, + time = 60 * 1000 * Long.parseLong(s.substring(0, s.length() - 1)); } else if (s.endsWith("h")) { - time = 60 * 60 * 1000 * Long.parseLong(s.substring(0, + time = 60 * 60 * 1000 * Long.parseLong(s.substring(0, s.length() - 1)); } else if (s.endsWith("D")) { time = 24 * 60 * 60 * 1000 * Long.parseLong( @@ -206,9 +205,9 @@ public class CertificateRenewalWindowExt extends APolicyRule PROP_BEGIN_TIME + ";string;Start Time in seconds (Relative to the time of issuance). Optionally, time unit (s - seconds, m - minutes, h - hours, D - days, M - months) can be specified right after the value. For example, 5 days can be expressed as 5D.", PROP_END_TIME + ";string;End Time in seconds (Optional, Relative to the time of issuance). Optionally, time unit (s - seconds, m - minutes, h - hours, D - days, M - months) can be specified right after the value. For example, 5 days can be expressed as 5D.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-certificaterenewalwindow", + ";configuration-policyrules-certificaterenewalwindow", IExtendedPluginInfo.HELP_TEXT + - ";Adds 'Certificate Renewal Window' extension. See manual" + ";Adds 'Certificate Renewal Window' extension. See manual" }; return params; @@ -217,10 +216,10 @@ public class CertificateRenewalWindowExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_CRITICAL + "=" + mCritical); @@ -239,10 +238,10 @@ public class CertificateRenewalWindowExt extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java index e6cbddf60..bf89d486a 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -43,31 +42,31 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Certificate Scope Of Use extension policy. This extension * is defined in draft-thayes-cert-scope-00.txt * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class CertificateScopeOfUseExt extends APolicyRule implements +public class CertificateScopeOfUseExt extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = - "critical"; + "critical"; protected static final String PROP_ENTRY = - "entry"; + "entry"; protected static final String PROP_NAME = - "name"; + "name"; protected static final String PROP_NAME_TYPE = - "name_type"; + "name_type"; protected static final String PROP_PORT_NUMBER = - "port_number"; + "port_number"; public static final int MAX_ENTRY = 5; @@ -82,11 +81,11 @@ public class CertificateScopeOfUseExt extends APolicyRule implements Vector v = new Vector(); v.addElement(PROP_CRITICAL + - ";boolean; This extension may be either critical or non-critical."); + ";boolean; This extension may be either critical or non-critical."); v.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-certificatescopeofuse"); + ";configuration-policyrules-certificatescopeofuse"); v.addElement(IExtendedPluginInfo.HELP_TEXT + - ";Adds Certificate Scope of Use Extension."); + ";Adds Certificate Scope of Use Extension."); for (int i = 0; i < MAX_ENTRY; i++) { v.addElement(PROP_ENTRY + Integer.toString(i) + "_" + PROP_NAME + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO); @@ -99,17 +98,15 @@ public class CertificateScopeOfUseExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.predicate= - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>.predicate= + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; } @@ -124,7 +121,7 @@ public class CertificateScopeOfUseExt extends APolicyRule implements // for (int i = 0;; i++) { // get port number (optional) - String port = mConfig.getString(PROP_ENTRY + + String port = mConfig.getString(PROP_ENTRY + Integer.toString(i) + "_" + PROP_PORT_NUMBER, null); BigInt portNumber = null; @@ -137,11 +134,11 @@ public class CertificateScopeOfUseExt extends APolicyRule implements // TAG ::= uriName | dirName // VALUE ::= [value defined by TAG] // - String name_type = mConfig.getString(PROP_ENTRY + - Integer.toString(i) + + String name_type = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + "_" + PROP_NAME_TYPE, null); - String name = mConfig.getString(PROP_ENTRY + - Integer.toString(i) + + String name = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + "_" + PROP_NAME, null); if (name == null || name.equals("")) @@ -157,7 +154,7 @@ public class CertificateScopeOfUseExt extends APolicyRule implements * If this policy is enabled, add the authority information * access extension to the certificate. * <P> - * + * * @param req The request on which to apply policy. * @return The policy result object. */ @@ -169,7 +166,7 @@ public class CertificateScopeOfUseExt extends APolicyRule implements IRequest.CERT_INFO); if (ci == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -177,29 +174,29 @@ public class CertificateScopeOfUseExt extends APolicyRule implements certInfo = ci[j]; if (certInfo == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", NAME)); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Configuration Info Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_INFO_ERROR", NAME)); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Configuration Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } try { // Find the extensions in the certInfo CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); // add access descriptions Vector entries = getScopeEntries(); if (entries.size() == 0) { return res; - } - + } + if (extensions == null) { // create extension if not exist certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { @@ -212,29 +209,29 @@ public class CertificateScopeOfUseExt extends APolicyRule implements } // Create the extension - CertificateScopeOfUseExtension suExt = new - CertificateScopeOfUseExtension(mConfig.getBoolean( - PROP_CRITICAL, false), entries); + CertificateScopeOfUseExtension suExt = new + CertificateScopeOfUseExtension(mConfig.getBoolean( + PROP_CRITICAL, false), entries); extensions.set(CertificateScopeOfUseExtension.NAME, suExt); } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - "Configuration Info Error encountered: " + - e.getMessage()); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Configuration Info Error"); + log(ILogger.LL_FAILURE, + "Configuration Info Error encountered: " + + e.getMessage()); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Configuration Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } } @@ -244,15 +241,15 @@ public class CertificateScopeOfUseExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); try { - params.addElement(PROP_CRITICAL + "=" + - mConfig.getBoolean(PROP_CRITICAL, false)); + params.addElement(PROP_CRITICAL + "=" + + mConfig.getBoolean(PROP_CRITICAL, false)); } catch (EBaseException e) { } @@ -260,50 +257,50 @@ public class CertificateScopeOfUseExt extends APolicyRule implements String name_type = null; try { - name_type = mConfig.getString(PROP_ENTRY + - Integer.toString(i) + "_" + PROP_NAME_TYPE, + name_type = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + "_" + PROP_NAME_TYPE, null); } catch (EBaseException e) { } if (name_type == null) break; - params.addElement(PROP_ENTRY + - Integer.toString(i) + - "_" + PROP_NAME_TYPE + "=" + name_type); + params.addElement(PROP_ENTRY + + Integer.toString(i) + + "_" + PROP_NAME_TYPE + "=" + name_type); String name = null; try { - name = mConfig.getString(PROP_ENTRY + - Integer.toString(i) + "_" + PROP_NAME, + name = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + "_" + PROP_NAME, null); } catch (EBaseException e) { } if (name == null) break; - params.addElement(PROP_ENTRY + - Integer.toString(i) + - "_" + PROP_NAME + "=" + name); + params.addElement(PROP_ENTRY + + Integer.toString(i) + + "_" + PROP_NAME + "=" + name); String port = null; try { - port = mConfig.getString(PROP_ENTRY + - Integer.toString(i) + "_" + PROP_PORT_NUMBER, + port = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + "_" + PROP_PORT_NUMBER, ""); } catch (EBaseException e) { } - params.addElement(PROP_ENTRY + - Integer.toString(i) + - "_" + PROP_PORT_NUMBER + "=" + port); + params.addElement(PROP_ENTRY + + Integer.toString(i) + + "_" + PROP_PORT_NUMBER + "=" + port); } return params; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); @@ -314,14 +311,13 @@ public class CertificateScopeOfUseExt extends APolicyRule implements // the CMS.cfg // for (int i = 0; i < MAX_ENTRY; i++) { - defParams.addElement(PROP_ENTRY + Integer.toString(i) + - "_" + PROP_NAME_TYPE + "="); - defParams.addElement(PROP_ENTRY + Integer.toString(i) + - "_" + PROP_NAME + "="); - defParams.addElement(PROP_ENTRY + Integer.toString(i) + - "_" + PROP_PORT_NUMBER + "="); + defParams.addElement(PROP_ENTRY + Integer.toString(i) + + "_" + PROP_NAME_TYPE + "="); + defParams.addElement(PROP_ENTRY + Integer.toString(i) + + "_" + PROP_NAME + "="); + defParams.addElement(PROP_ENTRY + Integer.toString(i) + + "_" + PROP_PORT_NUMBER + "="); } return defParams; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java index b5c4176d0..4bba5d371 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -40,20 +39,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * This implements the extended key usage extension. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class ExtendedKeyUsageExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { public static final String PROP_CRITICAL = "critical"; protected static final String PROP_PURPOSE_ID = "id"; protected static final String PROP_NUM_IDS = "numIds"; @@ -63,7 +62,7 @@ public class ExtendedKeyUsageExt extends APolicyRule private Vector mUsages = null; private String[] mParams = null; - + // PKIX specifies the that the extension SHOULD NOT be critical public static final boolean DEFAULT_CRITICALITY = false; @@ -81,7 +80,7 @@ public class ExtendedKeyUsageExt extends APolicyRule * Performs one-time initialization of the policy. */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; setExtendedPluginInfo(); setupParams(); @@ -99,7 +98,7 @@ public class ExtendedKeyUsageExt extends APolicyRule } X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -119,15 +118,15 @@ public class ExtendedKeyUsageExt extends APolicyRule try { // find the extensions in the certInfo CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); // prepare the extensions data structure if (extensions == null) { certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { try { @@ -143,17 +142,17 @@ public class ExtendedKeyUsageExt extends APolicyRule } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, - e.getMessage()); + e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, - e.getMessage()); + e.getMessage()); return PolicyResult.REJECTED; } } - + /** * Returns instance specific parameters. */ @@ -172,16 +171,16 @@ public class ExtendedKeyUsageExt extends APolicyRule for (int i = 0; i < numIds; i++) { if (mUsages.size() <= i) { - params.addElement(PROP_PURPOSE_ID + - Integer.toString(i) + "="); + params.addElement(PROP_PURPOSE_ID + + Integer.toString(i) + "="); } else { usage = ((ObjectIdentifier) mUsages.elementAt(i)).toString(); if (usage == null) { - params.addElement(PROP_PURPOSE_ID + - Integer.toString(i) + "="); + params.addElement(PROP_PURPOSE_ID + + Integer.toString(i) + "="); } else { - params.addElement(PROP_PURPOSE_ID + - Integer.toString(i) + "=" + usage); + params.addElement(PROP_PURPOSE_ID + + Integer.toString(i) + "=" + usage); } } } @@ -200,17 +199,17 @@ public class ExtendedKeyUsageExt extends APolicyRule } for (int i = 0; i < mNum; i++) { v.addElement(PROP_PURPOSE_ID + Integer.toString(i) + ";string;" + - "A unique,valid OID specified in dot-separated numeric component notation. e.g. 2.16.840.1.113730.1.99"); + "A unique,valid OID specified in dot-separated numeric component notation. e.g. 2.16.840.1.113730.1.99"); } v.addElement(PROP_NUM_IDS + ";number;The total number of policy IDs."); v.addElement(PROP_CRITICAL + - ";boolean;RFC 2459 recommendation: This extension may, at the option of the certificate issuer, be either critical or non-critical."); + ";boolean;RFC 2459 recommendation: This extension may, at the option of the certificate issuer, be either critical or non-critical."); v.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-extendedkeyusage"); + ";configuration-policyrules-extendedkeyusage"); v.addElement(IExtendedPluginInfo.HELP_TEXT + - ";Adds Extended Key Usage Extension. Defined in RFC 2459 " + - "(4.2.1.13)"); + ";Adds Extended Key Usage Extension. Defined in RFC 2459 " + + "(4.2.1.13)"); mParams = com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } @@ -221,7 +220,7 @@ public class ExtendedKeyUsageExt extends APolicyRule } return mParams; } - + /** * Returns default parameters. */ @@ -235,30 +234,32 @@ public class ExtendedKeyUsageExt extends APolicyRule } return defParams; } - + /** * Setups parameters. */ private void setupParams() throws EBaseException { - + mCritical = mConfig.getBoolean(PROP_CRITICAL, false); if (mUsages == null) { mUsages = new Vector(); } - + int mNum = mConfig.getInteger(PROP_NUM_IDS, MAX_PURPOSE_ID); for (int i = 0; i < mNum; i++) { ObjectIdentifier usageOID = null; - - String usage = mConfig.getString(PROP_PURPOSE_ID + + + String usage = mConfig.getString(PROP_PURPOSE_ID + Integer.toString(i), null); try { - - if (usage == null) break; + + if (usage == null) + break; usage = usage.trim(); - if (usage.equals("")) break; + if (usage.equals("")) + break; if (usage.equalsIgnoreCase("ocspsigning")) { usageOID = ObjectIdentifier.getObjectIdentifier(ExtendedKeyUsageExtension.OID_OCSPSigning); } else if (usage.equalsIgnoreCase("codesigning")) { @@ -268,10 +269,10 @@ public class ExtendedKeyUsageExt extends APolicyRule usageOID = ObjectIdentifier.getObjectIdentifier(usage); } } catch (IOException ex) { - throw new EBaseException(this.getClass().getName() + ":" + + throw new EBaseException(this.getClass().getName() + ":" + ex.getMessage()); } catch (NumberFormatException ex) { - throw new EBaseException(this.getClass().getName() + ":" + + throw new EBaseException(this.getClass().getName() + ":" + "OID '" + usage + "' format error"); } mUsages.addElement(usageOID); diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java b/pki/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java index 47e3de0c0..0ebe6c136 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -46,12 +45,11 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Private Integer extension policy. * If this policy is enabled, it adds an Private Integer * extension to the certificate. - * + * * The following listed sample configuration parameters: * * ca.Policy.impl.privateInteger.class=com.netscape.certsrv.policy.genericASNExt @@ -78,51 +76,52 @@ import com.netscape.cms.policy.APolicyRule; * ca.Policy.rule.genericASNExt.implName=genericASNExt * ca.Policy.rule.genericASNExt.predicate= * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class GenericASN1Ext extends APolicyRule implements +public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final int MAX_ATTR = 10; protected static final String PROP_CRITICAL = - "critical"; + "critical"; protected static final String PROP_NAME = - "name"; + "name"; protected static final String PROP_OID = - "oid"; + "oid"; protected static final String PROP_PATTERN = - "pattern"; + "pattern"; protected static final String PROP_ATTRIBUTE = - "attribute"; + "attribute"; protected static final String PROP_TYPE = - "type"; + "type"; protected static final String PROP_SOURCE = - "source"; + "source"; protected static final String PROP_VALUE = - "value"; + "value"; protected static final String PROP_PREDICATE = - "predicate"; + "predicate"; protected static final String PROP_ENABLE = - "enable"; + "enable"; public IConfigStore mConfig = null; private String pattern = null; - + public String[] getExtendedPluginInfo(Locale locale) { String s[] = { "enable" + ";boolean;Enable this policy", "predicate" + ";string;", PROP_CRITICAL + ";boolean;", - PROP_NAME + ";string;Name for this extension.", - PROP_OID + ";string;OID number for this extension. It should be unique.", + PROP_NAME + ";string;Name for this extension.", + PROP_OID + ";string;OID number for this extension. It should be unique.", PROP_PATTERN + ";string;Pattern for extension; {012}34", // Attribute 0 PROP_ATTRIBUTE + "." + "0" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", @@ -165,14 +164,14 @@ public class GenericASN1Ext extends APolicyRule implements PROP_ATTRIBUTE + "." + "9" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", PROP_ATTRIBUTE + "." + "9" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-genericasn1ext", + ";configuration-policyrules-genericasn1ext", IExtendedPluginInfo.HELP_TEXT + - ";Adds Private extension based on ASN1. See manual" + ";Adds Private extension based on ASN1. See manual" }; return s; } - + public GenericASN1Ext() { NAME = "GenericASN1Ext"; DESC = "Sets Generic extension for certificates"; @@ -181,17 +180,15 @@ public class GenericASN1Ext extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=genericASNExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.predicate= - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=genericASNExt ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>.predicate= + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; if (mConfig == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_INIT_ERROR")); @@ -202,32 +199,32 @@ public class GenericASN1Ext extends APolicyRule implements if (enable == false) return; - + String oid = mConfig.getString(PROP_OID, null); if ((oid == null) || (oid.length() == 0)) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_INIT_ERROR")); return; } - + String name = mConfig.getString(PROP_NAME, null); if ((name == null) || (name.length() == 0)) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_INIT_ERROR")); return; } - + try { if (File.separatorChar == '\\') { pattern = mConfig.getString(PROP_PATTERN, null); checkFilename(0); - } + } } catch (IOException e) { log(ILogger.LL_FAILURE, "" + e.toString()); } catch (EBaseException e) { log(ILogger.LL_FAILURE, "" + e.toString()); } - + // Check OID value CMS.checkOID(name, oid); pattern = mConfig.getString(PROP_PATTERN, null); @@ -241,14 +238,14 @@ public class GenericASN1Ext extends APolicyRule implements } catch (CertificateException e) { log(ILogger.LL_FAILURE, "" + e.toString()); } - + } // Check filename - private int checkFilename(int index) - throws IOException, EBaseException { + private int checkFilename(int index) + throws IOException, EBaseException { String source = null; - + while (index < pattern.length()) { char ch = pattern.charAt(index); @@ -262,28 +259,28 @@ public class GenericASN1Ext extends APolicyRule implements return index; default: - source = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_SOURCE, null); + source = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_SOURCE, null); if ((source != null) && (source.equalsIgnoreCase("file"))) { - String oValue = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, null); + String oValue = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, null); String nValue = oValue.replace('\\', '/'); - mConfig.putString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, nValue); + mConfig.putString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, nValue); FileInputStream fis = new FileInputStream(nValue); fis.close(); - } + } } index++; - } + } return index; } // Check oid - private int checkOID(int index) - throws EBaseException { + private int checkOID(int index) + throws EBaseException { String type = null; String oid = null; - + while (index < pattern.length()) { char ch = pattern.charAt(index); @@ -297,23 +294,23 @@ public class GenericASN1Ext extends APolicyRule implements return index; default: - type = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_TYPE, null); + type = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_TYPE, null); if ((type != null) && (type.equalsIgnoreCase("OID"))) { - oid = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, null); + oid = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, null); CMS.checkOID(oid, oid); - } + } } index++; - } + } return index; } - + /** * If this policy is enabled, add the private Integer * information extension to the certificate. * <P> - * + * * @param req The request on which to apply policy. * @return The policy result object. */ @@ -321,9 +318,9 @@ public class GenericASN1Ext extends APolicyRule implements PolicyResult res = PolicyResult.ACCEPTED; X509CertInfo certInfo; X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + if (ci == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -343,7 +340,7 @@ public class GenericASN1Ext extends APolicyRule implements if (extensions == null) { // create extension if not exist certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { @@ -358,35 +355,35 @@ public class GenericASN1Ext extends APolicyRule implements // Create the extension GenericASN1Extension priExt = mkExtension(); - + extensions.set(GenericASN1Extension.NAME, priExt); } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (EBaseException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Configuration Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Configuration Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (ParseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_EXTENSION_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Pattern parsing error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_EXTENSION_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Pattern parsing error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_UNKNOWN_EXCEPTION", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Unknown Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_UNKNOWN_EXCEPTION", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Unknown Error"); return PolicyResult.REJECTED; // unrecoverable error. } } @@ -397,7 +394,7 @@ public class GenericASN1Ext extends APolicyRule implements * Construct GenericASN1Extension with value from CMS.cfg */ protected GenericASN1Extension mkExtension() - throws IOException, EBaseException, ParseException { + throws IOException, EBaseException, ParseException { GenericASN1Extension ext; Hashtable h = new Hashtable(); @@ -413,21 +410,21 @@ public class GenericASN1Ext extends APolicyRule implements String proptype = PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE; String propsource = PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE; String propvalue = PROP_ATTRIBUTE + "." + idx + "." + PROP_VALUE; - + h.put(proptype, mConfig.getString(proptype, null)); h.put(propsource, mConfig.getString(propsource, null)); h.put(propvalue, mConfig.getString(propvalue, null)); } ext = new GenericASN1Extension(h); return ext; - } - + } + /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { int idx = 0; Vector params = new Vector(); @@ -436,7 +433,7 @@ public class GenericASN1Ext extends APolicyRule implements params.addElement(PROP_NAME + "=" + mConfig.getString(PROP_NAME, null)); params.addElement(PROP_OID + "=" + mConfig.getString(PROP_OID, null)); params.addElement(PROP_PATTERN + "=" + mConfig.getString(PROP_PATTERN, null)); - + for (idx = 0; idx < MAX_ATTR; idx++) { String proptype = PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE; String propsource = PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE; @@ -447,7 +444,8 @@ public class GenericASN1Ext extends APolicyRule implements params.addElement(propvalue + "=" + mConfig.getString(propvalue, null)); } params.addElement(PROP_PREDICATE + "=" + mConfig.getString(PROP_PREDICATE, null)); - } catch (EBaseException e) {; + } catch (EBaseException e) { + ; } return params; @@ -455,26 +453,25 @@ public class GenericASN1Ext extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { int idx = 0; - + Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); defParams.addElement(PROP_NAME + "="); defParams.addElement(PROP_OID + "="); defParams.addElement(PROP_PATTERN + "="); - + for (idx = 0; idx < MAX_ATTR; idx++) { defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE + "="); defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE + "="); defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_VALUE + "="); } - + return defParams; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java index cc2751c03..b76651ea6 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -41,23 +40,23 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Issuer Alt Name Extension policy. * - * This extension is used to associate Internet-style identities - * with the Certificate issuer. + * This extension is used to associate Internet-style identities + * with the Certificate issuer. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class IssuerAltNameExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { public static final String PROP_CRITICAL = "critical"; // PKIX specifies the that the extension SHOULD NOT be critical @@ -69,15 +68,15 @@ public class IssuerAltNameExt extends APolicyRule static { defaultParams.addElement(PROP_CRITICAL + "=" + DEFAULT_CRITICALITY); CMS.getGeneralNamesConfigDefaultParams(null, true, defaultParams); - + Vector info = new Vector(); info.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: SHOULD NOT be marked critical."); info.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-issueraltname"); + ";configuration-policyrules-issueraltname"); info.addElement(IExtendedPluginInfo.HELP_TEXT + - ";This policy inserts the Issuer Alternative Name " + - "Extension into the certificate. See RFC 2459 (4.2.1.8). "); + ";This policy inserts the Issuer Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.8). "); CMS.getGeneralNamesConfigExtendedPluginInfo(null, true, info); @@ -102,10 +101,11 @@ public class IssuerAltNameExt extends APolicyRule /** * Initializes this policy rule. - * @param config The config store reference + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // get criticality @@ -120,43 +120,43 @@ public class IssuerAltNameExt extends APolicyRule // form extension try { - if (mEnabled && - mGNs.getGeneralNames() != null && !mGNs.getGeneralNames().isEmpty()) { - mExtension = + if (mEnabled && + mGNs.getGeneralNames() != null && !mGNs.getGeneralNames().isEmpty()) { + mExtension = new IssuerAlternativeNameExtension( - Boolean.valueOf(mCritical), mGNs.getGeneralNames()); + Boolean.valueOf(mCritical), mGNs.getGeneralNames()); } } catch (Exception e) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); } // init instance params - mParams.addElement(PROP_CRITICAL + "=" + mCritical); + mParams.addElement(PROP_CRITICAL + "=" + mCritical); mGNs.getInstanceParams(mParams); return; } /** - * Adds a extension if none exists. - * - * @param req The request on which to apply policy. + * Adds a extension if none exists. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; - if (mEnabled == false || mExtension == null) + if (mEnabled == false || mExtension == null) return res; - // get cert info. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + // get cert info. + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); X509CertInfo certInfo = null; if (ci == null || (certInfo = ci[0]) == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -188,7 +188,7 @@ public class IssuerAltNameExt extends APolicyRule extensions = new CertificateExtensions(); try { certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (CertificateException e) { // not possible @@ -214,10 +214,10 @@ public class IssuerAltNameExt extends APolicyRule try { extensions.set(IssuerAlternativeNameExtension.NAME, mExtension); } catch (Exception e) { - if (e instanceof RuntimeException) + if (e instanceof RuntimeException) throw (RuntimeException) e; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CRL_CREATE_ISSUER_ALT_NAME_EXT", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CRL_CREATE_ISSUER_ALT_NAME_EXT", e.toString())); setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR"), NAME); return PolicyResult.REJECTED; } @@ -226,21 +226,21 @@ public class IssuerAltNameExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return Empty Vector since this policy has no configuration parameters. - * for this policy instance. + * for this policy instance. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mParams; } /** * Return default parameters for a policy implementation. - * - * @return Empty Vector since this policy implementation has no - * configuration parameters. + * + * @return Empty Vector since this policy implementation has no + * configuration parameters. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return defaultParams; } @@ -249,4 +249,3 @@ public class IssuerAltNameExt extends APolicyRule } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java index 4f7a72c4d..7dc35a1a0 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -44,25 +43,25 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Policy to add Key Usage Extension. * Adds the key usage extension based on what's requested. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class KeyUsageExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { private final static String HTTP_INPUT = "HTTP_INPUT"; - protected static final boolean[] DEF_BITS = - new boolean[KeyUsageExtension.NBITS]; + protected static final boolean[] DEF_BITS = + new boolean[KeyUsageExtension.NBITS]; protected int mCAPathLen = -1; protected IConfigStore mConfig = null; protected static final String PROP_CRITICAL = "critical"; @@ -97,25 +96,23 @@ public class KeyUsageExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=KeyUsageExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>. - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=KeyUsageExt ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>. + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "Cannot find the Certificate Manager or Registration Manager")); } @@ -146,29 +143,29 @@ public class KeyUsageExt extends APolicyRule /** * Adds the key usage extension if not set already. - * (CRMF, agent, authentication (currently) or PKCS#10 (future) - * or RA could have set the extension.) - * If not set, set from http input parameters or use default if + * (CRMF, agent, authentication (currently) or PKCS#10 (future) + * or RA could have set the extension.) + * If not set, set from http input parameters or use default if * no http input parameters are set. * - * Note: this allows any bits requested - does not check if user - * authenticated is allowed to have a Key Usage Extension with - * those bits. Unless the CA's certificate path length is 0, then + * Note: this allows any bits requested - does not check if user + * authenticated is allowed to have a Key Usage Extension with + * those bits. Unless the CA's certificate path length is 0, then * we do not allow CA sign or CRL sign bits in any request. * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -184,7 +181,7 @@ public class KeyUsageExt extends APolicyRule public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); KeyUsageExtension ext = null; if (extensions != null) { @@ -203,11 +200,11 @@ public class KeyUsageExt extends APolicyRule if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT && bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) || - (bits.length > KeyUsageExtension.CRL_SIGN_BIT && + (bits.length > KeyUsageExtension.CRL_SIGN_BIT && bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) { - setError(req, - CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), - NAME); + setError(req, + CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), + NAME); return PolicyResult.REJECTED; } } @@ -216,8 +213,8 @@ public class KeyUsageExt extends APolicyRule } else { // create extensions set if none. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } @@ -225,41 +222,41 @@ public class KeyUsageExt extends APolicyRule boolean[] bits = new boolean[KeyUsageExtension.NBITS]; - bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature", - mDigitalSignature, req); - bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation", + bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature", + mDigitalSignature, req); + bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation", mNonRepudiation, req); - bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment", + bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment", mKeyEncipherment, req); - bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment", + bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment", mDataEncipherment, req); - bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement", - mKeyAgreement, req); - bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign", + bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement", + mKeyAgreement, req); + bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign", mKeyCertsign, req); bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, req); bits[KeyUsageExtension.ENCIPHER_ONLY_BIT] = getBit("encipher_only", mEncipherOnly, req); - bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only", + bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only", mDecipherOnly, req); - + // don't allow no bits set or the extension does not // encode/decode properlly. boolean bitset = false; for (int i = 0; i < bits.length; i++) { if (bits[i]) { - bitset = true; + bitset = true; break; } } if (!bitset) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME)); setError(req, CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"), - NAME); + NAME); return PolicyResult.REJECTED; } - + // create the extension. try { mKeyUsage = new KeyUsageExtension(mCritical, bits); @@ -269,23 +266,23 @@ public class KeyUsageExt extends APolicyRule return PolicyResult.ACCEPTED; } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_CRITICAL + "=" + mCritical); @@ -328,21 +325,21 @@ public class KeyUsageExt extends APolicyRule PROP_ENCIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", PROP_DECIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-keyusage", + ";configuration-policyrules-keyusage", IExtendedPluginInfo.HELP_TEXT + - ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)" + ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)" - }; + }; return params; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } @@ -355,4 +352,3 @@ public class KeyUsageExt extends APolicyRule return Boolean.valueOf(choice).booleanValue(); } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java index 68f5d875b..4b2da43dd 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.BufferedReader; import java.io.FileInputStream; import java.io.FileNotFoundException; @@ -45,21 +44,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Netscape comment * Adds Netscape comment policy * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class NSCCommentExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_USER_NOTICE_DISPLAY_TEXT = "displayText"; protected static final String PROP_COMMENT_FILE = "commentFile"; @@ -68,17 +67,17 @@ public class NSCCommentExt extends APolicyRule protected static final String TEXT = "Text"; protected static final String FILE = "File"; - protected String mUserNoticeDisplayText; - protected String mCommentFile; - protected String mInputType; + protected String mUserNoticeDisplayText; + protected String mCommentFile; + protected String mInputType; protected boolean mCritical; private Vector mParams = new Vector(); - protected String tempCommentFile; + protected String tempCommentFile; protected boolean certApplied = false; /** - * Adds the Netscape comment in the end-entity certificates or + * Adds the Netscape comment in the end-entity certificates or * CA certificates. The policy is set to be non-critical with the * provided OID. */ @@ -91,16 +90,13 @@ public class NSCCommentExt extends APolicyRule * Initializes this policy rule. * <p> * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=NSCCommentExtImpl - * ca.Policy.rule.<ruleName>.displayText=<n> - * ca.Policy.rule.<ruleName>.commentFile=<n> - * ca.Policy.rule.<ruleName>.enable=false - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=NSCCommentExtImpl ca.Policy.rule.<ruleName>.displayText=<n> ca.Policy.rule.<ruleName>.commentFile=<n> ca.Policy.rule.<ruleName>.enable=false + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { FileInputStream fileStream = null; @@ -138,11 +134,11 @@ public class NSCCommentExt extends APolicyRule mParams.addElement(PROP_COMMENT_FILE + "=" + mCommentFile); } catch (FileNotFoundException e) { - Object[] params = {getInstanceName(), "File not found : " + tempCommentFile}; + Object[] params = { getInstanceName(), "File not found : " + tempCommentFile }; throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params); } catch (Exception e) { - Object[] params = {getInstanceName(), e.getMessage()}; + Object[] params = { getInstanceName(), e.getMessage() }; throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params); } @@ -151,16 +147,16 @@ public class NSCCommentExt extends APolicyRule /** * Applies the policy on the given Request. * <p> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -191,8 +187,8 @@ public class NSCCommentExt extends APolicyRule if (extensions == null) { extensions = new CertificateExtensions(); try { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (Exception e) { } @@ -200,7 +196,7 @@ public class NSCCommentExt extends APolicyRule // remove any previously computed version of the extension try { extensions.delete(NSCCommentExtension.NAME); - + } catch (IOException e) { // this is the hack: for some reason, the key which is the name // of the policy has been converted into the OID @@ -225,9 +221,9 @@ public class NSCCommentExt extends APolicyRule fis.close(); } catch (IOException e) { setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, " Comment Text file not found : " + mCommentFile); + NAME, " Comment Text file not found : " + mCommentFile); log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_COMMENT_FILE_NOT_FOUND", e.toString())); + CMS.getLogMessage("POLICY_COMMENT_FILE_NOT_FOUND", e.toString())); return PolicyResult.REJECTED; } @@ -235,20 +231,20 @@ public class NSCCommentExt extends APolicyRule } certApplied = true; - + DisplayText displayText = - new DisplayText(DisplayText.tag_IA5String, mUserNoticeDisplayText); + new DisplayText(DisplayText.tag_IA5String, mUserNoticeDisplayText); try { - NSCCommentExtension cpExt = - new NSCCommentExtension(mCritical, mUserNoticeDisplayText); + NSCCommentExtension cpExt = + new NSCCommentExtension(mCritical, mUserNoticeDisplayText); extensions.set(NSCCommentExtension.NAME, cpExt); } catch (Exception e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME)); + CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME)); setError(req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } return PolicyResult.ACCEPTED; @@ -258,16 +254,16 @@ public class NSCCommentExt extends APolicyRule String[] params = { PROP_CRITICAL + ";boolean;Netscape recommendation: non-critical.", PROP_INPUT_TYPE + ";choice(Text,File);Whether the comments " + - "would be entered in the displayText field or come from " + - "a file.", + "would be entered in the displayText field or come from " + + "a file.", PROP_USER_NOTICE_DISPLAY_TEXT + ";string;The comment that may be " + - "displayed to the user when the certificate is viewed.", + "displayed to the user when the certificate is viewed.", PROP_COMMENT_FILE + ";string; If data source is 'File', specify " + - "the file name with full path.", + "the file name with full path.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-nsccomment", + ";configuration-policyrules-nsccomment", IExtendedPluginInfo.HELP_TEXT + - ";Adds 'netscape comment' extension. See manual" + ";Adds 'netscape comment' extension. See manual" }; return params; @@ -276,19 +272,19 @@ public class NSCCommentExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java index 2ececcf9c..195a8792a 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -46,30 +45,30 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * NS Cert Type policy. * Adds the ns cert type extension depending on cert type requested. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class NSCertTypeExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_SET_DEFAULT_BITS = "setDefaultBits"; protected static final boolean DEF_SET_DEFAULT_BITS = true; - protected static final String DEF_SET_DEFAULT_BITS_VAL = - Boolean.valueOf(DEF_SET_DEFAULT_BITS).toString(); + protected static final String DEF_SET_DEFAULT_BITS_VAL = + Boolean.valueOf(DEF_SET_DEFAULT_BITS).toString(); protected static final int DEF_PATHLEN = -1; - protected static final boolean[] DEF_BITS = - new boolean[NSCertTypeExtension.NBITS]; + protected static final boolean[] DEF_BITS = + new boolean[NSCertTypeExtension.NBITS]; // XXX for future use. currenlty always allow. protected static final String PROP_AGENT_OVERR = "allowAgentOverride"; @@ -112,16 +111,15 @@ public class NSCertTypeExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=nsCertTypeExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=nsCertTypeExt ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // XXX future use. @@ -130,7 +128,7 @@ public class NSCertTypeExt extends APolicyRule mCritical = config.getBoolean(PROP_CRITICAL, false); ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority instanceof ICertificateAuthority) { CertificateChain caChain = certAuthority.getCACertChain(); @@ -141,7 +139,7 @@ public class NSCertTypeExt extends APolicyRule // CA reject if it does not allow any subordinate CA certs. if (caChain != null) { caCert = caChain.getFirstCertificate(); - if (caCert != null) + if (caCert != null) mCAPathLen = caCert.getBasicConstraints(); } } @@ -155,21 +153,21 @@ public class NSCertTypeExt extends APolicyRule * reads ns cert type choices from form. If no choices from form * will defaults to all. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { CMS.debug("NSCertTypeExt: Impl: " + NAME + ", Instance: " + getInstanceName() + "::apply()"); PolicyResult res = PolicyResult.ACCEPTED; - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo = null; if (ci == null || (certInfo = ci[0]) == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -184,10 +182,10 @@ public class NSCertTypeExt extends APolicyRule public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { - String certType = - req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); + String certType = + req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); NSCertTypeExtension nsCertTypeExt = null; if (extensions != null) { @@ -201,13 +199,13 @@ public class NSCertTypeExt extends APolicyRule } // XXX agent servlet currently sets this. it should be // delayed to here. - if (nsCertTypeExt != null && - extensionIsGood(nsCertTypeExt, req)) { + if (nsCertTypeExt != null && + extensionIsGood(nsCertTypeExt, req)) { CMS.debug( - "NSCertTypeExt: already has correct ns cert type ext"); + "NSCertTypeExt: already has correct ns cert type ext"); return PolicyResult.ACCEPTED; - } else if ((nsCertTypeExt != null) && - (certType.equals("ocspResponder"))) { + } else if ((nsCertTypeExt != null) && + (certType.equals("ocspResponder"))) { // Fix for #528732 : Always delete // this extension from OCSP signing cert extensions.delete(NSCertTypeExtension.NAME); @@ -216,12 +214,12 @@ public class NSCertTypeExt extends APolicyRule } else { // create extensions set if none. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); CMS.debug( - "NSCertTypeExt: Created extensions for adding ns cert type.."); + "NSCertTypeExt: Created extensions for adding ns cert type.."); } } // add ns cert type extension if not set or not set correctly. @@ -230,12 +228,12 @@ public class NSCertTypeExt extends APolicyRule bits = getBitsFromRequest(req, mSetDefaultBits); // check if ca doesn't allow any subordinate ca - if (mCAPathLen == 0 && bits != null) { - if (bits[NSCertTypeExtension.SSL_CA_BIT] || - bits[NSCertTypeExtension.EMAIL_CA_BIT] || - bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT]) { - setError(req, - CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), NAME); + if (mCAPathLen == 0 && bits != null) { + if (bits[NSCertTypeExtension.SSL_CA_BIT] || + bits[NSCertTypeExtension.EMAIL_CA_BIT] || + bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT]) { + setError(req, + CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), NAME); return PolicyResult.REJECTED; } } @@ -249,11 +247,12 @@ public class NSCertTypeExt extends APolicyRule int j; for (j = 0; bits != null && j < bits.length; j++) - if (bits[j]) break; + if (bits[j]) + break; if (bits == null || j == bits.length) { if (!mSetDefaultBits) { CMS.debug( - "NSCertTypeExt: no bits requested, not setting default."); + "NSCertTypeExt: no bits requested, not setting default."); return PolicyResult.ACCEPTED; } else bits = DEF_BITS; @@ -264,26 +263,26 @@ public class NSCertTypeExt extends APolicyRule return PolicyResult.ACCEPTED; } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** - * check if ns cert type extension is set correctly, - * correct bits if not. + * check if ns cert type extension is set correctly, + * correct bits if not. * if not authorized to set extension, bits will be replaced. */ protected boolean extensionIsGood( - NSCertTypeExtension nsCertTypeExt, IRequest req) - throws IOException, CertificateException { + NSCertTypeExtension nsCertTypeExt, IRequest req) + throws IOException, CertificateException { // always return false for now to make sure minimum is set. // agents and ee can add others. @@ -295,7 +294,7 @@ public class NSCertTypeExt extends APolicyRule // don't know where this came from. // set all bits to false to reset. CMS.debug( - "NSCertTypeExt: unknown origin: setting ns cert type bits to false"); + "NSCertTypeExt: unknown origin: setting ns cert type bits to false"); boolean[] bits = new boolean[8]; for (int i = bits.length - 1; i >= 0; i--) { @@ -316,36 +315,36 @@ public class NSCertTypeExt extends APolicyRule } if (certType.equals(IRequest.CA_CERT)) { if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CA_BIT) && - !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_CA_BIT) && - !nsCertTypeExt.isSet( - NSCertTypeExtension.OBJECT_SIGNING_CA_BIT)) { + !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_CA_BIT) && + !nsCertTypeExt.isSet( + NSCertTypeExtension.OBJECT_SIGNING_CA_BIT)) { // min not set so set all. CMS.debug( - "NSCertTypeExt: is extension good: no ca bits set. set all"); + "NSCertTypeExt: is extension good: no ca bits set. set all"); - nsCertTypeExt.set(NSCertTypeExtension.SSL_CA, - Boolean.valueOf(true)); + nsCertTypeExt.set(NSCertTypeExtension.SSL_CA, + Boolean.valueOf(true)); nsCertTypeExt.set(NSCertTypeExtension.EMAIL_CA, - Boolean.valueOf(true)); + Boolean.valueOf(true)); nsCertTypeExt.set(NSCertTypeExtension.OBJECT_SIGNING_CA, - Boolean.valueOf(true)); + Boolean.valueOf(true)); } return true; } else if (certType.equals(IRequest.CLIENT_CERT)) { if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CLIENT_BIT) && - !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_BIT) && - !nsCertTypeExt.isSet(NSCertTypeExtension.SSL_SERVER_BIT) && - !nsCertTypeExt.isSet( - NSCertTypeExtension.OBJECT_SIGNING_BIT)) { + !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_BIT) && + !nsCertTypeExt.isSet(NSCertTypeExtension.SSL_SERVER_BIT) && + !nsCertTypeExt.isSet( + NSCertTypeExtension.OBJECT_SIGNING_BIT)) { // min not set so set all. CMS.debug( - "NSCertTypeExt: is extension good: no cl bits set. set all"); - nsCertTypeExt.set(NSCertTypeExtension.SSL_CLIENT, - new Boolean(true)); + "NSCertTypeExt: is extension good: no cl bits set. set all"); + nsCertTypeExt.set(NSCertTypeExtension.SSL_CLIENT, + new Boolean(true)); nsCertTypeExt.set(NSCertTypeExtension.EMAIL, - new Boolean(true)); + new Boolean(true)); nsCertTypeExt.set(NSCertTypeExtension.OBJECT_SIGNING, - new Boolean(true)); + new Boolean(true)); } return true; } else if (certType.equals(IRequest.SERVER_CERT)) { @@ -359,13 +358,13 @@ public class NSCertTypeExt extends APolicyRule /** * Gets ns cert type bits from request. - * If none set, use cert type to determine correct bits. - * If no cert type, use default. - */ + * If none set, use cert type to determine correct bits. + * If no cert type, use default. + */ protected boolean[] getBitsFromRequest(IRequest req, boolean setDefault) { boolean[] bits = null; - + CMS.debug("NSCertTypeExt: ns cert type getting ns cert type vars"); bits = getNSCertTypeBits(req); if (bits == null && setDefault) { @@ -440,14 +439,14 @@ public class NSCertTypeExt extends APolicyRule */ protected boolean[] getCertTypeBits(IRequest req) { String certType = - req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); + req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); - if (certType == null || certType.length() == 0) + if (certType == null || certType.length() == 0) return null; boolean[] bits = new boolean[KeyUsageExtension.NBITS]; - for (int i = bits.length - 1; i >= 0; i--) + for (int i = bits.length - 1; i >= 0; i--) bits[i] = false; if (certType.equals(IRequest.CLIENT_CERT)) { @@ -477,7 +476,7 @@ public class NSCertTypeExt extends APolicyRule } /** - * merge bits with those set from form. + * merge bits with those set from form. * make sure required minimum is set. Agent or auth can set others. * XXX form shouldn't set the extension */ @@ -492,10 +491,10 @@ public class NSCertTypeExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_CRITICAL + "=" + mCritical); @@ -507,22 +506,22 @@ public class NSCertTypeExt extends APolicyRule private static Vector mDefParams = new Vector(); static { mDefParams.addElement( - PROP_CRITICAL + "=false"); + PROP_CRITICAL + "=false"); mDefParams.addElement( - PROP_SET_DEFAULT_BITS + "=" + DEF_SET_DEFAULT_BITS); + PROP_SET_DEFAULT_BITS + "=" + DEF_SET_DEFAULT_BITS); } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { PROP_CRITICAL + ";boolean;Netscape recommendation: non-critical.", PROP_SET_DEFAULT_BITS + ";boolean;Specify whether to set the Netscape certificate " + - "type extension with default bits ('ssl client' and 'email') in certificates " + - "specified by the predicate " + - "expression.", + "type extension with default bits ('ssl client' and 'email') in certificates " + + "specified by the predicate " + + "expression.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-nscerttype", + ";configuration-policyrules-nscerttype", IExtendedPluginInfo.HELP_TEXT + - ";Adds Netscape Certificate Type extension." + ";Adds Netscape Certificate Type extension." }; return params; @@ -530,11 +529,10 @@ public class NSCertTypeExt extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java index 35106de41..c39be6982 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -43,22 +42,22 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Name Constraints Extension Policy - * Adds the name constraints extension to a (CA) certificate. + * Adds the name constraints extension to a (CA) certificate. * Filtering of CA certificates is done through predicates. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class NameConstraintsExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_NUM_PERMITTEDSUBTREES = "numPermittedSubtrees"; protected static final String PROP_NUM_EXCLUDEDSUBTREES = "numExcludedSubtrees"; @@ -90,37 +89,35 @@ public class NameConstraintsExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate=certType==ca - * ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate=certType==ca ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // XXX should do do this ? // if CA does not allow subordinate CAs by way of basic constraints, // this policy always rejects /***** - ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor)owner).getAuthority(); - if (certAuthority instanceof ICertificateAuthority) { - CertificateChain caChain = certAuthority.getCACertChain(); - X509Certificate caCert = null; - // Note that in RA the chain could be null if CA was not up when - // RA was started. In that case just set the length to -1 and let - // CA reject if it does not allow any subordinate CA certs. - if (caChain != null) { - caCert = caChain.getFirstCertificate(); - if (caCert != null) - mCAPathLen = caCert.getBasicConstraints(); - } - } + * ICertAuthority certAuthority = (ICertAuthority) + * ((IPolicyProcessor)owner).getAuthority(); + * if (certAuthority instanceof ICertificateAuthority) { + * CertificateChain caChain = certAuthority.getCACertChain(); + * X509Certificate caCert = null; + * // Note that in RA the chain could be null if CA was not up when + * // RA was started. In that case just set the length to -1 and let + * // CA reject if it does not allow any subordinate CA certs. + * if (caChain != null) { + * caCert = caChain.getFirstCertificate(); + * if (caCert != null) + * mCAPathLen = caCert.getBasicConstraints(); + * } + * } ****/ mEnabled = mConfig.getBoolean( @@ -133,25 +130,25 @@ public class NameConstraintsExt extends APolicyRule if (mNumPermittedSubtrees < 0) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - PROP_NUM_PERMITTEDSUBTREES, + PROP_NUM_PERMITTEDSUBTREES, "value must be greater than or equal to 0")); } if (mNumExcludedSubtrees < 0) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - PROP_NUM_EXCLUDEDSUBTREES, + PROP_NUM_EXCLUDEDSUBTREES, "value must be greater than or equal to 0")); } // init permitted subtrees if any. if (mNumPermittedSubtrees > 0) { - mPermittedSubtrees = + mPermittedSubtrees = form_subtrees(PROP_PERMITTEDSUBTREES, mNumPermittedSubtrees); CMS.debug("NameConstraintsExt: formed permitted subtrees"); } // init excluded subtrees if any. if (mNumExcludedSubtrees > 0) { - mExcludedSubtrees = + mExcludedSubtrees = form_subtrees(PROP_EXCLUDEDSUBTREES, mNumExcludedSubtrees); CMS.debug("NameConstraintsExt: formed excluded subtrees"); } @@ -163,13 +160,13 @@ public class NameConstraintsExt extends APolicyRule for (int i = 0; i < mNumPermittedSubtrees; i++) { permittedSubtrees.addElement( - mPermittedSubtrees[i].mGeneralSubtree); + mPermittedSubtrees[i].mGeneralSubtree); } Vector excludedSubtrees = new Vector(); for (int j = 0; j < mNumExcludedSubtrees; j++) { excludedSubtrees.addElement( - mExcludedSubtrees[j].mGeneralSubtree); + mExcludedSubtrees[j].mGeneralSubtree); } GeneralSubtrees psb = null; @@ -181,44 +178,44 @@ public class NameConstraintsExt extends APolicyRule if (excludedSubtrees.size() > 0) { esb = new GeneralSubtrees(excludedSubtrees); } - mNameConstraintsExtension = - new NameConstraintsExtension(mCritical, - psb, - esb); + mNameConstraintsExtension = + new NameConstraintsExtension(mCritical, + psb, + esb); CMS.debug("NameConstraintsExt: formed Name Constraints Extension " + - mNameConstraintsExtension); + mNameConstraintsExtension); } catch (IOException e) { throw new EBaseException( CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Error initializing Name Constraints Extension: " + e)); + "Error initializing Name Constraints Extension: " + e)); } } // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement( - PROP_NUM_PERMITTEDSUBTREES + "=" + mNumPermittedSubtrees); + PROP_NUM_PERMITTEDSUBTREES + "=" + mNumPermittedSubtrees); mInstanceParams.addElement( - PROP_NUM_EXCLUDEDSUBTREES + "=" + mNumExcludedSubtrees); + PROP_NUM_EXCLUDEDSUBTREES + "=" + mNumExcludedSubtrees); if (mNumPermittedSubtrees > 0) { - for (int i = 0; i < mPermittedSubtrees.length; i++) + for (int i = 0; i < mPermittedSubtrees.length; i++) mPermittedSubtrees[i].getInstanceParams(mInstanceParams); } if (mNumExcludedSubtrees > 0) { - for (int j = 0; j < mExcludedSubtrees.length; j++) + for (int j = 0; j < mExcludedSubtrees.length; j++) mExcludedSubtrees[j].getInstanceParams(mInstanceParams); } } - Subtree[] form_subtrees(String subtreesName, int numSubtrees) - throws EBaseException { + Subtree[] form_subtrees(String subtreesName, int numSubtrees) + throws EBaseException { Subtree[] subtrees = new Subtree[numSubtrees]; for (int i = 0; i < numSubtrees; i++) { String subtreeName = subtreesName + i; IConfigStore subtreeConfig = mConfig.getSubStore(subtreeName); - Subtree subtree = - new Subtree(subtreeName, subtreeConfig, mEnabled); + Subtree subtree = + new Subtree(subtreeName, subtreeConfig, mEnabled); subtrees[i] = subtree; } @@ -228,10 +225,10 @@ public class NameConstraintsExt extends APolicyRule /** * Adds Name Constraints Extension to a (CA) certificate. * - * If a Name constraints Extension is already there, accept it if + * If a Name constraints Extension is already there, accept it if * it's been approved by agent, else replace it. - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -244,12 +241,12 @@ public class NameConstraintsExt extends APolicyRule } // get certInfo from request. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -269,7 +266,7 @@ public class NameConstraintsExt extends APolicyRule try { NameConstraintsExtension nameConstraintsExt = null; CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { @@ -283,65 +280,65 @@ public class NameConstraintsExt extends APolicyRule if (nameConstraintsExt != null) { if (agentApproved(req)) { CMS.debug( - "NameConstraintsExt: request id from agent " + req.getRequestId() + - " already has name constraints - accepted"); + "NameConstraintsExt: request id from agent " + req.getRequestId() + + " already has name constraints - accepted"); return PolicyResult.ACCEPTED; } else { CMS.debug( - "NameConstraintsExt: request id " + req.getRequestId() + " from user " + - " already has name constraints - deleted"); + "NameConstraintsExt: request id " + req.getRequestId() + " from user " + + " already has name constraints - deleted"); extensions.delete(NameConstraintsExtension.NAME); } } if (extensions == null) { certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } extensions.set( - NameConstraintsExtension.NAME, mNameConstraintsExtension); + NameConstraintsExtension.NAME, mNameConstraintsExtension); CMS.debug( - "NameConstraintsExt: added Name Constraints Extension to request " + - req.getRequestId()); + "NameConstraintsExt: added Name Constraints Extension to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_NAME_CONST_EXTENSION", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_NAME_CONST_EXTENSION", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** - * Default config parameters. - * To add more permitted or excluded subtrees, - * increase the num to greater than 0 and more configuration params + * Default config parameters. + * To add more permitted or excluded subtrees, + * increase the num to greater than 0 and more configuration params * will show up in the console. */ private static Vector mDefParams = new Vector(); static { mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); mDefParams.addElement( - PROP_NUM_PERMITTEDSUBTREES + "=" + DEF_NUM_PERMITTEDSUBTREES); + PROP_NUM_PERMITTEDSUBTREES + "=" + DEF_NUM_PERMITTEDSUBTREES); mDefParams.addElement( - PROP_NUM_EXCLUDEDSUBTREES + "=" + DEF_NUM_EXCLUDEDSUBTREES); + PROP_NUM_EXCLUDEDSUBTREES + "=" + DEF_NUM_EXCLUDEDSUBTREES); for (int k = 0; k < DEF_NUM_PERMITTEDSUBTREES; k++) { Subtree.getDefaultParams(PROP_PERMITTEDSUBTREES + k, mDefParams); } @@ -352,10 +349,10 @@ public class NameConstraintsExt extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } @@ -364,9 +361,9 @@ public class NameConstraintsExt extends APolicyRule theparams.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST be critical."); theparams.addElement( - PROP_NUM_PERMITTEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11"); + PROP_NUM_PERMITTEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11"); theparams.addElement( - PROP_NUM_EXCLUDEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11"); + PROP_NUM_EXCLUDEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11"); // now do the subtrees. for (int k = 0; k < DEF_NUM_PERMITTEDSUBTREES; k++) { @@ -376,9 +373,9 @@ public class NameConstraintsExt extends APolicyRule Subtree.getExtendedPluginInfo(PROP_EXCLUDEDSUBTREES + l, theparams); } theparams.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-nameconstraints"); + ";configuration-policyrules-nameconstraints"); theparams.addElement(IExtendedPluginInfo.HELP_TEXT + - ";Adds Name Constraints Extension. See RFC 2459"); + ";Adds Name Constraints Extension. See RFC 2459"); String[] info = new String[theparams.size()]; @@ -387,9 +384,8 @@ public class NameConstraintsExt extends APolicyRule } } - /** - * subtree configuration + * subtree configuration */ class Subtree { @@ -400,8 +396,7 @@ class Subtree { protected static final int DEF_MIN = 0; protected static final int DEF_MAX = -1; // -1 (less than 0) means not set. - protected static final String - MINMAX_INFO = "number;See RFC 2459 section 4.2.1.11"; + protected static final String MINMAX_INFO = "number;See RFC 2459 section 4.2.1.11"; String mName = null; IConfigStore mConfig = null; @@ -414,13 +409,13 @@ class Subtree { String mNameDotMax = null; public Subtree( - String subtreeName, IConfigStore config, boolean policyEnabled) - throws EBaseException { + String subtreeName, IConfigStore config, boolean policyEnabled) + throws EBaseException { mName = subtreeName; mConfig = config; if (mName != null) { - mNameDot = mName + "."; + mNameDot = mName + "."; mNameDotMin = mNameDot + PROP_MIN; mNameDotMax = mNameDot + PROP_MAX; } else { @@ -439,13 +434,14 @@ class Subtree { // if policy enabled get values to form the general subtree. mMin = mConfig.getInteger(PROP_MIN, DEF_MIN); mMax = mConfig.getInteger(PROP_MAX, DEF_MAX); - if (mMax < -1) mMax = -1; + if (mMax < -1) + mMax = -1; mBase = CMS.createGeneralNameAsConstraintsConfig( - mNameDot + PROP_BASE, mConfig.getSubStore(PROP_BASE), + mNameDot + PROP_BASE, mConfig.getSubStore(PROP_BASE), true, policyEnabled); if (policyEnabled) { - mGeneralSubtree = + mGeneralSubtree = new GeneralSubtree(mBase.getGeneralName(), mMin, mMax); } } @@ -476,4 +472,3 @@ class Subtree { info.addElement(nameDot + PROP_MAX + ";" + MINMAX_INFO); } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java index e5cbab537..2bb3ff803 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -39,25 +38,25 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * This implements an OCSP Signing policy, it * adds the OCSP Signing extension to the certificate. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$ $Date$ */ public class OCSPNoCheckExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { - + implements IEnrollmentPolicy, IExtendedPluginInfo { + public static final String PROP_CRITICAL = "critical"; private boolean mCritical = false; - + // PKIX specifies the that the extension SHOULD NOT be critical public static final boolean DEFAULT_CRITICALITY = false; @@ -75,9 +74,9 @@ public class OCSPNoCheckExt extends APolicyRule String[] params = { PROP_CRITICAL + ";boolean;RFC 2560 recommendation: SHOULD be non-critical.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-ocspnocheck", + ";configuration-policyrules-ocspnocheck", IExtendedPluginInfo.HELP_TEXT + - ";Adds OCSP signing extension to certificate" + ";Adds OCSP signing extension to certificate" }; return params; @@ -88,9 +87,9 @@ public class OCSPNoCheckExt extends APolicyRule * Performs one-time initialization of the policy. */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mOCSPNoCheck = new OCSPNoCheckExtension(); - + if (mOCSPNoCheck != null) { // configure the extension itself mCritical = config.getBoolean(PROP_CRITICAL, @@ -110,7 +109,7 @@ public class OCSPNoCheckExt extends APolicyRule } X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -131,15 +130,15 @@ public class OCSPNoCheckExt extends APolicyRule // find the extensions in the certInfo CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); // prepare the extensions data structure if (extensions == null) { certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { try { @@ -157,16 +156,16 @@ public class OCSPNoCheckExt extends APolicyRule } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, - e.getMessage()); + e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, - e.getMessage()); + e.getMessage()); return PolicyResult.REJECTED; } } - + /** * Returns instance parameters. */ @@ -175,9 +174,9 @@ public class OCSPNoCheckExt extends APolicyRule params.addElement(PROP_CRITICAL + "=" + mCritical); return params; - + } - + /** * Returns default parameters. */ @@ -186,6 +185,6 @@ public class OCSPNoCheckExt extends APolicyRule defParams.addElement(PROP_CRITICAL + "=false"); return defParams; - + } } diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java index 717c19f70..a349d2868 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -40,31 +39,29 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Policy Constraints Extension Policy - * Adds the policy constraints extension to (CA) certificates. + * Adds the policy constraints extension to (CA) certificates. * Filtering of CA certificates is done through predicates. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class PolicyConstraintsExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; - protected static final String - PROP_REQ_EXPLICIT_POLICY = "reqExplicitPolicy"; - protected static final String - PROP_INHIBIT_POLICY_MAPPING = "inhibitPolicyMapping"; + protected static final String PROP_REQ_EXPLICIT_POLICY = "reqExplicitPolicy"; + protected static final String PROP_INHIBIT_POLICY_MAPPING = "inhibitPolicyMapping"; protected static final boolean DEF_CRITICAL = false; - protected static final int DEF_REQ_EXPLICIT_POLICY = -1; // not set - protected static final int DEF_INHIBIT_POLICY_MAPPING = -1; // not set + protected static final int DEF_REQ_EXPLICIT_POLICY = -1; // not set + protected static final int DEF_INHIBIT_POLICY_MAPPING = -1; // not set protected boolean mEnabled = false; protected IConfigStore mConfig = null; @@ -80,9 +77,9 @@ public class PolicyConstraintsExt extends APolicyRule static { mDefaultParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); mDefaultParams.addElement( - PROP_REQ_EXPLICIT_POLICY + "=" + DEF_REQ_EXPLICIT_POLICY); + PROP_REQ_EXPLICIT_POLICY + "=" + DEF_REQ_EXPLICIT_POLICY); mDefaultParams.addElement( - PROP_INHIBIT_POLICY_MAPPING + "=" + DEF_INHIBIT_POLICY_MAPPING); + PROP_INHIBIT_POLICY_MAPPING + "=" + DEF_INHIBIT_POLICY_MAPPING); } public PolicyConstraintsExt() { @@ -93,37 +90,35 @@ public class PolicyConstraintsExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate=certType==ca - * ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate=certType==ca ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // XXX should do do this ? // if CA does not allow subordinate CAs by way of basic constraints, // this policy always rejects /***** - ICertAuthority certAuthority = (ICertAuthority) - ((GenericPolicyProcessor)owner).mAuthority; - if (certAuthority instanceof ICertificateAuthority) { - CertificateChain caChain = certAuthority.getCACertChain(); - X509Certificate caCert = null; - // Note that in RA the chain could be null if CA was not up when - // RA was started. In that case just set the length to -1 and let - // CA reject if it does not allow any subordinate CA certs. - if (caChain != null) { - caCert = caChain.getFirstCertificate(); - if (caCert != null) - mCAPathLen = caCert.getBasicConstraints(); - } - } + * ICertAuthority certAuthority = (ICertAuthority) + * ((GenericPolicyProcessor)owner).mAuthority; + * if (certAuthority instanceof ICertificateAuthority) { + * CertificateChain caChain = certAuthority.getCACertChain(); + * X509Certificate caCert = null; + * // Note that in RA the chain could be null if CA was not up when + * // RA was started. In that case just set the length to -1 and let + * // CA reject if it does not allow any subordinate CA certs. + * if (caChain != null) { + * caCert = caChain.getFirstCertificate(); + * if (caCert != null) + * mCAPathLen = caCert.getBasicConstraints(); + * } + * } ****/ mEnabled = mConfig.getBoolean( @@ -135,42 +130,42 @@ public class PolicyConstraintsExt extends APolicyRule mInhibitPolicyMapping = mConfig.getInteger( PROP_INHIBIT_POLICY_MAPPING, DEF_INHIBIT_POLICY_MAPPING); - if (mReqExplicitPolicy < -1) + if (mReqExplicitPolicy < -1) mReqExplicitPolicy = -1; - if (mInhibitPolicyMapping < -1) + if (mInhibitPolicyMapping < -1) mInhibitPolicyMapping = -1; - - // create instance of policy constraings extension + + // create instance of policy constraings extension try { - mPolicyConstraintsExtension = - new PolicyConstraintsExtension(mCritical, - mReqExplicitPolicy, mInhibitPolicyMapping); + mPolicyConstraintsExtension = + new PolicyConstraintsExtension(mCritical, + mReqExplicitPolicy, mInhibitPolicyMapping); CMS.debug( - "PolicyConstraintsExt: Created Policy Constraints Extension: " + - mPolicyConstraintsExtension); + "PolicyConstraintsExt: Created Policy Constraints Extension: " + + mPolicyConstraintsExtension); } catch (IOException e) { log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT", e.toString())); + CMS.getLogMessage("POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT", e.toString())); throw new EBaseException( CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Could not init Policy Constraints Extension. Error: " + e)); + "Could not init Policy Constraints Extension. Error: " + e)); } // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement( - PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy); + PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy); mInstanceParams.addElement( - PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping); + PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping); } /** * Adds Policy Constraints Extension to a (CA) certificate. * - * If a Policy constraints Extension is already there, accept it if + * If a Policy constraints Extension is already there, accept it if * it's been approved by agent, else replace it. - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -181,12 +176,12 @@ public class PolicyConstraintsExt extends APolicyRule } // get certInfo from request. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -206,7 +201,7 @@ public class PolicyConstraintsExt extends APolicyRule try { PolicyConstraintsExtension policyConstraintsExt = null; CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { @@ -227,55 +222,55 @@ public class PolicyConstraintsExt extends APolicyRule if (extensions == null) { certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } extensions.set( - "PolicyConstriantsExt", mPolicyConstraintsExtension); + "PolicyConstriantsExt", mPolicyConstraintsExtension); CMS.debug("PolicyConstraintsExt: added our policy constraints extension"); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT", e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT", e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefaultParams; } /** - * gets plugin info for pretty console edit displays. + * gets plugin info for pretty console edit displays. */ public String[] getExtendedPluginInfo(Locale locale) { mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement( - PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy); + PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy); mInstanceParams.addElement( - PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping); + PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping); String[] params = { PROP_CRITICAL + ";boolean;RFC 2459 recommendation: may be critical or non-critical.", @@ -287,4 +282,3 @@ public class PolicyConstraintsExt extends APolicyRule return params; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java index 452a9a3fa..2174485ff 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -43,22 +42,22 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Policy Mappings Extension Policy - * Adds the Policy Mappings extension to a (CA) certificate. + * Adds the Policy Mappings extension to a (CA) certificate. * Filtering of CA certificates is done through predicates. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class PolicyMappingsExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_NUM_POLICYMAPPINGS = "numPolicyMappings"; @@ -85,37 +84,35 @@ public class PolicyMappingsExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate=certType==ca - * ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate=certType==ca ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // XXX should do do this ? // if CA does not allow subordinate CAs by way of basic constraints, // this policy always rejects /***** - ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor)owner).getAuthority(); - if (certAuthority instanceof ICertificateAuthority) { - CertificateChain caChain = certAuthority.getCACertChain(); - X509Certificate caCert = null; - // Note that in RA the chain could be null if CA was not up when - // RA was started. In that case just set the length to -1 and let - // CA reject if it does not allow any subordinate CA certs. - if (caChain != null) { - caCert = caChain.getFirstCertificate(); - if (caCert != null) - mCAPathLen = caCert.getBasicConstraints(); - } - } + * ICertAuthority certAuthority = (ICertAuthority) + * ((IPolicyProcessor)owner).getAuthority(); + * if (certAuthority instanceof ICertificateAuthority) { + * CertificateChain caChain = certAuthority.getCACertChain(); + * X509Certificate caCert = null; + * // Note that in RA the chain could be null if CA was not up when + * // RA was started. In that case just set the length to -1 and let + * // CA reject if it does not allow any subordinate CA certs. + * if (caChain != null) { + * caCert = caChain.getFirstCertificate(); + * if (caCert != null) + * mCAPathLen = caCert.getBasicConstraints(); + * } + * } ****/ mEnabled = mConfig.getBoolean( @@ -140,7 +137,7 @@ public class PolicyMappingsExt extends APolicyRule mPolicyMaps[i] = new PolicyMap(subtreeName, mConfig, mEnabled); } catch (EBaseException e) { log(ILogger.LL_FAILURE, NAME + ": " + - CMS.getLogMessage("POLICY_ERROR_CREATE_MAP", e.toString())); + CMS.getLogMessage("POLICY_ERROR_CREATE_MAP", e.toString())); throw e; } } @@ -152,21 +149,21 @@ public class PolicyMappingsExt extends APolicyRule for (int j = 0; j < mNumPolicyMappings; j++) { certPolicyMaps.addElement( - mPolicyMaps[j].mCertificatePolicyMap); + mPolicyMaps[j].mCertificatePolicyMap); } - mPolicyMappingsExtension = + mPolicyMappingsExtension = new PolicyMappingsExtension(mCritical, certPolicyMaps); } catch (IOException e) { throw new EBaseException( CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Error initializing " + NAME + " Error: " + e)); + "Error initializing " + NAME + " Error: " + e)); } } // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement( - PROP_NUM_POLICYMAPPINGS + "=" + mNumPolicyMappings); + PROP_NUM_POLICYMAPPINGS + "=" + mNumPolicyMappings); for (int i = 0; i < mNumPolicyMappings; i++) { mPolicyMaps[i].getInstanceParams(mInstanceParams); } @@ -175,10 +172,10 @@ public class PolicyMappingsExt extends APolicyRule /** * Adds policy mappings Extension to a (CA) certificate. * - * If a policy mappings Extension is already there, accept it if + * If a policy mappings Extension is already there, accept it if * it's been approved by agent, else replace it. - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -191,12 +188,12 @@ public class PolicyMappingsExt extends APolicyRule } // get certInfo from request. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -215,7 +212,7 @@ public class PolicyMappingsExt extends APolicyRule try { PolicyMappingsExtension policyMappingsExt = null; CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { @@ -236,87 +233,87 @@ public class PolicyMappingsExt extends APolicyRule if (extensions == null) { certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } extensions.set( - PolicyMappingsExtension.NAME, mPolicyMappingsExtension); + PolicyMappingsExtension.NAME, mPolicyMappingsExtension); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_PROCESS_POLICYMAP_EXT", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_PROCESS_POLICYMAP_EXT", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** - * Default config parameters. - * To add more permitted or excluded subtrees, - * increase the num to greater than 0 and more configuration params + * Default config parameters. + * To add more permitted or excluded subtrees, + * increase the num to greater than 0 and more configuration params * will show up in the console. */ private static Vector mDefParams = new Vector(); static { mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); mDefParams.addElement( - PROP_NUM_POLICYMAPPINGS + "=" + DEF_NUM_POLICYMAPPINGS); + PROP_NUM_POLICYMAPPINGS + "=" + DEF_NUM_POLICYMAPPINGS); String policyMap0Dot = PROP_POLICYMAP + "0."; mDefParams.addElement( - policyMap0Dot + PolicyMap.PROP_ISSUER_DOMAIN_POLICY + "=" + ""); + policyMap0Dot + PolicyMap.PROP_ISSUER_DOMAIN_POLICY + "=" + ""); mDefParams.addElement( - policyMap0Dot + PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + "=" + ""); + policyMap0Dot + PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + "=" + ""); } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } public String[] getExtendedPluginInfo(Locale locale) { Vector theparams = new Vector(); - + theparams.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST be non-critical."); theparams.addElement(PROP_NUM_POLICYMAPPINGS + ";number; Number of policy mappings. The value must be greater than or equal to 1"); - String policyInfo = - ";string;An object identifier in the form n.n.n.n"; + String policyInfo = + ";string;An object identifier in the form n.n.n.n"; for (int k = 0; k < 5; k++) { String policyMapkDot = PROP_POLICYMAP + k + "."; theparams.addElement(policyMapkDot + - PolicyMap.PROP_ISSUER_DOMAIN_POLICY + policyInfo); + PolicyMap.PROP_ISSUER_DOMAIN_POLICY + policyInfo); theparams.addElement(policyMapkDot + - PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + policyInfo); + PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + policyInfo); } theparams.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-policymappings"); + ";configuration-policyrules-policymappings"); theparams.addElement(IExtendedPluginInfo.HELP_TEXT + - ";Adds Policy Mappings Extension. See RFC 2459 (4.2.1.6)"); + ";Adds Policy Mappings Extension. See RFC 2459 (4.2.1.6)"); String[] params = new String[theparams.size()]; @@ -325,7 +322,6 @@ public class PolicyMappingsExt extends APolicyRule } } - class PolicyMap { protected static String PROP_ISSUER_DOMAIN_POLICY = "issuerDomainPolicy"; @@ -340,47 +336,48 @@ class PolicyMap { /** * forms policy map parameters. + * * @param name name of this policy map, for example policyMap0 * @param config parent's config from where we find this configuration. * @param enabled whether policy was enabled. */ - protected PolicyMap(String name, IConfigStore config, boolean enabled) - throws EBaseException { + protected PolicyMap(String name, IConfigStore config, boolean enabled) + throws EBaseException { mName = name; mConfig = config.getSubStore(mName); mNameDot = mName + "."; - if( mConfig == null ) { - CMS.debug( "PolicyMappingsExt::PolicyMap - mConfig is null!" ); + if (mConfig == null) { + CMS.debug("PolicyMappingsExt::PolicyMap - mConfig is null!"); return; } // if there's no configuration for this map put it there. if (mConfig.size() == 0) { - config.putString(mNameDot + PROP_ISSUER_DOMAIN_POLICY, ""); - config.putString(mNameDot + PROP_SUBJECT_DOMAIN_POLICY, ""); + config.putString(mNameDot + PROP_ISSUER_DOMAIN_POLICY, ""); + config.putString(mNameDot + PROP_SUBJECT_DOMAIN_POLICY, ""); mConfig = config.getSubStore(mName); if (mConfig == null || mConfig.size() == 0) { - CMS.debug( "PolicyMappingsExt::PolicyMap - mConfig " + - "is null or empty!" ); + CMS.debug("PolicyMappingsExt::PolicyMap - mConfig " + + "is null or empty!"); return; } } // get policy ids from configuration. - mIssuerDomainPolicy = + mIssuerDomainPolicy = mConfig.getString(PROP_ISSUER_DOMAIN_POLICY, null); - mSubjectDomainPolicy = + mSubjectDomainPolicy = mConfig.getString(PROP_SUBJECT_DOMAIN_POLICY, null); // adjust for "" and console returning "null" - if (mIssuerDomainPolicy != null && - (mIssuerDomainPolicy.length() == 0 || + if (mIssuerDomainPolicy != null && + (mIssuerDomainPolicy.length() == 0 || mIssuerDomainPolicy.equals("null"))) { mIssuerDomainPolicy = null; } - if (mSubjectDomainPolicy != null && - (mSubjectDomainPolicy.length() == 0 || + if (mSubjectDomainPolicy != null && + (mSubjectDomainPolicy.length() == 0 || mSubjectDomainPolicy.equals("null"))) { mSubjectDomainPolicy = null; } @@ -388,26 +385,26 @@ class PolicyMap { // policy ids cannot be null if policy is enabled. String msg = "value cannot be null."; - if (mIssuerDomainPolicy == null && enabled) + if (mIssuerDomainPolicy == null && enabled) throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", mNameDot + PROP_ISSUER_DOMAIN_POLICY, msg)); - if (mSubjectDomainPolicy == null && enabled) + if (mSubjectDomainPolicy == null && enabled) throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", mNameDot + PROP_SUBJECT_DOMAIN_POLICY, msg)); - // if a policy id is not null check that it is a valid OID. + // if a policy id is not null check that it is a valid OID. ObjectIdentifier issuerPolicyId = null; ObjectIdentifier subjectPolicyId = null; - if (mIssuerDomainPolicy != null) + if (mIssuerDomainPolicy != null) issuerPolicyId = CMS.checkOID( mNameDot + PROP_ISSUER_DOMAIN_POLICY, mIssuerDomainPolicy); - if (mSubjectDomainPolicy != null) + if (mSubjectDomainPolicy != null) subjectPolicyId = CMS.checkOID( mNameDot + PROP_SUBJECT_DOMAIN_POLICY, mSubjectDomainPolicy); - - // if enabled, form CertificatePolicyMap to be encoded in extension. - // policy ids should be all set. + + // if enabled, form CertificatePolicyMap to be encoded in extension. + // policy ids should be all set. if (enabled) { mCertificatePolicyMap = new CertificatePolicyMap( new CertificatePolicyId(issuerPolicyId), @@ -417,12 +414,11 @@ class PolicyMap { protected void getInstanceParams(Vector instanceParams) { instanceParams.addElement( - mNameDot + PROP_ISSUER_DOMAIN_POLICY + "=" + (mIssuerDomainPolicy == null ? "" : - mIssuerDomainPolicy)); + mNameDot + PROP_ISSUER_DOMAIN_POLICY + "=" + (mIssuerDomainPolicy == null ? "" : + mIssuerDomainPolicy)); instanceParams.addElement( - mNameDot + PROP_SUBJECT_DOMAIN_POLICY + "=" + (mSubjectDomainPolicy == null ? "" : - mSubjectDomainPolicy)); + mNameDot + PROP_SUBJECT_DOMAIN_POLICY + "=" + (mSubjectDomainPolicy == null ? "" : + mSubjectDomainPolicy)); } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java index 41f08963a..4ce870950 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.util.Locale; import java.util.Vector; @@ -32,11 +31,12 @@ import com.netscape.cms.policy.APolicyRule; /** * Checks extension presence. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ @@ -77,7 +77,7 @@ public class PresenceExt extends APolicyRule { } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; mCritical = config.getBoolean(PROP_IS_CRITICAL, false); @@ -102,14 +102,14 @@ public class PresenceExt extends APolicyRule { mTelephoneNumber, mRFC822Name, mID, mHostName, mPortNumber, mMaxUsers, mServiceLevel); */ - + return res; } - public Vector getInstanceParams() { - Vector params = new Vector(); + public Vector getInstanceParams() { + Vector params = new Vector(); - params.addElement(PROP_IS_CRITICAL + "=" + mCritical); + params.addElement(PROP_IS_CRITICAL + "=" + mCritical); params.addElement(PROP_OID + "=" + mOID); params.addElement(PROP_VERSION + "=" + mVersion); params.addElement(PROP_STREET_ADDRESS + "=" + mStreetAddress); @@ -137,21 +137,21 @@ public class PresenceExt extends APolicyRule { PROP_MAX_USERS + ";string; max users", PROP_SERVICE_LEVEL + ";string; service level", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-presenceext", + ";configuration-policyrules-presenceext", IExtendedPluginInfo.HELP_TEXT + - ";Adds Presence Server Extension;" + ";Adds Presence Server Extension;" - }; + }; return params; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } } diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java index ff0d5749b..eaf19bb33 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.text.SimpleDateFormat; @@ -42,20 +41,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * PrivateKeyUsagePeriod Identifier Extension policy. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class PrivateKeyUsagePeriodExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { private final static String PROP_NOT_BEFORE = "notBefore"; private final static String PROP_NOT_AFTER = "notAfter"; @@ -94,16 +93,16 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule public String[] getExtendedPluginInfo(Locale locale) { String[] params = { PROP_IS_CRITICAL + ";boolean;RFC 2459 recommendation: The profile " + - "recommends against the use of this extension. CAs " + - "conforming to the profile MUST NOT generate certs with " + - "critical private key usage period extensions.", + "recommends against the use of this extension. CAs " + + "conforming to the profile MUST NOT generate certs with " + + "critical private key usage period extensions.", PROP_NOT_BEFORE + ";string; Date before which the Private Key is invalid.", PROP_NOT_AFTER + ";string; Date after which the Private Key is invalid.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-privatekeyusageperiod", + ";configuration-policyrules-privatekeyusageperiod", IExtendedPluginInfo.HELP_TEXT + - ";Adds (deprecated) Private Key Usage Period Extension. " + - "Defined in RFC 2459 (4.2.1.4)" + ";Adds (deprecated) Private Key Usage Period Extension. " + + "Defined in RFC 2459 (4.2.1.4)" }; return params; @@ -119,17 +118,17 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule /** * Initializes this policy rule. - * ra.Policy.rule.<ruleName>.implName=PrivateKeyUsageExtension - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.notBefore=30 - * ra.Policy.rule.<ruleName>.notAfter=180 - * ra.Policy.rule.<ruleName>.critical=false - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * ra.Policy.rule.<ruleName>.implName=PrivateKeyUsageExtension + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.notBefore=30 + * ra.Policy.rule.<ruleName>.notAfter=180 + * ra.Policy.rule.<ruleName>.critical=false + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { try { // Get params. @@ -145,7 +144,7 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule notAfter = formatter.format(formatter.parse(mNotAfter.trim())); } catch (Exception e) { // e.printStackTrace(); - Object[] params = {getInstanceName(), e}; + Object[] params = { getInstanceName(), e }; throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params); @@ -154,20 +153,20 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule } /** - * Adds a private key usage extension if none exists. - * - * @param req The request on which to apply policy. + * Adds a private key usage extension if none exists. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -201,7 +200,7 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule // remove any previously computed version of the extension try { extensions.delete(PrivateKeyUsageExtension.NAME); - + } catch (IOException e) { } @@ -209,16 +208,16 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule try { ext = new PrivateKeyUsageExtension( - formatter.parse(mNotBefore), + formatter.parse(mNotBefore), formatter.parse(mNotAfter)); certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions.set(PrivateKeyUsageExtension.NAME, ext); } catch (Exception e) { - if (e instanceof RuntimeException) + if (e instanceof RuntimeException) throw (RuntimeException) e; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CREATE_PRIVATE_KEY_EXT", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_CREATE_PRIVATE_KEY_EXT", e.toString())); setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR"), NAME); return PolicyResult.REJECTED; } @@ -227,11 +226,11 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return Empty Vector since this policy has no configuration parameters. - * for this policy instance. + * for this policy instance. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_IS_CRITICAL + "=" + mCritical); @@ -242,11 +241,11 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule /** * Return default parameters for a policy implementation. - * - * @return Empty Vector since this policy implementation has no - * configuration parameters. + * + * @return Empty Vector since this policy implementation has no + * configuration parameters. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_IS_CRITICAL + "=" + DEFAULT_CRITICALITY); @@ -255,4 +254,3 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule return defParams; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java index de39cccd6..1c2e89ff6 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -37,55 +36,55 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Remove Basic Constraints policy. * Adds the Basic constraints extension. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class RemoveBasicConstraintsExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { public RemoveBasicConstraintsExt() { NAME = "RemoveBasicConstraintsExt"; DESC = "Remove Basic Constraints extension"; } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { } public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); X509CertInfo certInfo = null; if (ci == null || (certInfo = ci[0]) == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } for (int i = 0; i < ci.length; i++) { PolicyResult certResult = applyCert(req, certInfo); - if (certResult == PolicyResult.REJECTED) + if (certResult == PolicyResult.REJECTED) return certResult; } return PolicyResult.ACCEPTED; } public PolicyResult applyCert( - IRequest req, X509CertInfo certInfo) { + IRequest req, X509CertInfo certInfo) { // get basic constraints extension from cert info if any. CertificateExtensions extensions = null; @@ -110,10 +109,10 @@ public class RemoveBasicConstraintsExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); return params; @@ -121,10 +120,10 @@ public class RemoveBasicConstraintsExt extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); return defParams; @@ -133,13 +132,12 @@ public class RemoveBasicConstraintsExt extends APolicyRule public String[] getExtendedPluginInfo(Locale locale) { String[] params = { IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-removebasicconstraints", + ";configuration-policyrules-removebasicconstraints", IExtendedPluginInfo.HELP_TEXT + - ";Removes the Basic Constraints extension." + ";Removes the Basic Constraints extension." }; return params; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java index c9ce68f65..33a8c3719 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -42,43 +41,36 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * - * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2. - * New Policy is com.netscape.certsrv.policy.SubjectAltNameExt. + * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2. + * New Policy is com.netscape.certsrv.policy.SubjectAltNameExt. * <p> * * Subject Alternative Name extension policy in CMS 4.1. - * - * Adds the subject alternative name extension depending on the - * certificate type requested. - * - * Two forms are supported. 1) For S/MIME certificates, email - * addresses are copied from data stored in the request by the - * authentication component. Both 'e' and 'altEmail' are supported - * so that both the primary address and alternative forms may be - * certified. Only the primary goes in the subjectName position (which - * should be phased out). - * - * e - * mailAlternateAddress + * + * Adds the subject alternative name extension depending on the certificate type requested. + * + * Two forms are supported. 1) For S/MIME certificates, email addresses are copied from data stored in the request by the authentication component. Both 'e' and 'altEmail' are supported so that both the primary address and alternative forms may be certified. Only the primary goes in the subjectName position (which should be phased out). + * + * e mailAlternateAddress * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class SubjAltNameExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { // for future use. currently always allow. protected static final String PROP_AGENT_OVERR = "allowAgentOverride"; protected static final String PROP_EE_OVERR = "AllowEEOverride"; protected static final String PROP_ENABLE_MANUAL_VALUES = - "enableManualValues"; + "enableManualValues"; // for future use. currently always non-critical // (standard says SHOULD be marked critical if included.) @@ -103,15 +95,15 @@ public class SubjAltNameExt extends APolicyRule String[] params = { PROP_CRITICAL + ";boolean;RFC 2459 recommendation: If the certificate subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-subjaltname", + ";configuration-policyrules-subjaltname", IExtendedPluginInfo.HELP_TEXT + - ";This policy inserts the Subject Alternative Name " + - "Extension into the certificate. See RFC 2459 (4.2.1.7). " + - "* Note: you probably want to use this policy in " + - "conjunction with an authentication manager which sets " + - "the 'mail' or 'mailalternateaddress' values in the authToken. " + - "See the 'ldapStringAttrs' parameter in the Directory-based " + - "authentication plugin" + ";This policy inserts the Subject Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.7). " + + "* Note: you probably want to use this policy in " + + "conjunction with an authentication manager which sets " + + "the 'mail' or 'mailalternateaddress' values in the authToken. " + + "See the 'ldapStringAttrs' parameter in the Directory-based " + + "authentication plugin" }; return params; @@ -121,16 +113,15 @@ public class SubjAltNameExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=SubjAltNameExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=SubjAltNameExt ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // future use. mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false); mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false); @@ -140,21 +131,21 @@ public class SubjAltNameExt extends APolicyRule /** * Adds the subject alternative names extension if not set already. - * + * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // Find the X509CertInfo object in the request - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -174,12 +165,11 @@ public class SubjAltNameExt extends APolicyRule // // General error handling block // - apply: - try { + apply: try { // Find the extensions in the certInfo CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); if (extensions != null) { // @@ -199,11 +189,11 @@ public class SubjAltNameExt extends APolicyRule // non-client certs, and implement client certs directly here. // String certType = - req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); + req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); if (certType == null || - !certType.equals(IRequest.CLIENT_CERT) || - !req.getExtDataInBoolean(IRequest.SMIME, false)) { + !certType.equals(IRequest.CLIENT_CERT) || + !req.getExtDataInBoolean(IRequest.SMIME, false)) { break apply; } @@ -212,30 +202,32 @@ public class SubjAltNameExt extends APolicyRule IAuthToken tok = findAuthToken(req, null); - if (tok == null) break apply; + if (tok == null) + break apply; Vector emails = getEmailList(tok); - if (emails == null) break apply; + if (emails == null) + break apply; - // Create the extension + // Create the extension SubjectAlternativeNameExtension subjAltNameExt = mkExt(emails); if (extensions == null) extensions = createCertificateExtensions(certInfo); extensions.set(SubjectAlternativeNameExtension.NAME, - subjAltNameExt); + subjAltNameExt); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } @@ -247,7 +239,7 @@ public class SubjAltNameExt extends APolicyRule * If the token is not present return null */ protected IAuthToken - findAuthToken(IRequest req, String authMgrName) { + findAuthToken(IRequest req, String authMgrName) { return req.getExtDataInAuthToken(IRequest.AUTH_TOKEN); } @@ -264,7 +256,8 @@ public class SubjAltNameExt extends APolicyRule addValues(tok, "mail", v); addValues(tok, "mailalternateaddress", v); - if (v.size() == 0) return null; + if (v.size() == 0) + return null; return v; } @@ -273,10 +266,11 @@ public class SubjAltNameExt extends APolicyRule * Add attribute values from an LDAP attribute to a vector */ protected void - addValues(IAuthToken tok, String attrName, Vector v) { + addValues(IAuthToken tok, String attrName, Vector v) { String attr[] = tok.getInStringArray(attrName); - if (attr == null) return; + if (attr == null) + return; for (int i = 0; i < attr.length; i++) { v.addElement(attr[i]); @@ -287,8 +281,8 @@ public class SubjAltNameExt extends APolicyRule * Make a Subject name extension given a list of email addresses */ protected SubjectAlternativeNameExtension - mkExt(Vector emails) - throws IOException { + mkExt(Vector emails) + throws IOException { SubjectAlternativeNameExtension sa; GeneralNames gns = new GeneralNames(); @@ -306,17 +300,17 @@ public class SubjAltNameExt extends APolicyRule /** * Create a new SET of extensions in the certificate info * object. - * + * * This should be a method in the X509CertInfo object */ - protected CertificateExtensions - createCertificateExtensions(X509CertInfo certInfo) - throws IOException, CertificateException { + protected CertificateExtensions + createCertificateExtensions(X509CertInfo certInfo) + throws IOException, CertificateException { CertificateExtensions extensions; // Force version to V3 - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); @@ -326,10 +320,10 @@ public class SubjAltNameExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); //params.addElement("PROP_AGENT_OVERR = " + mAllowAgentOverride); @@ -342,10 +336,10 @@ public class SubjAltNameExt extends APolicyRule /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); //defParams.addElement("PROP_AGENT_OVERR = " + DEF_AGENT_OVERR); @@ -356,4 +350,3 @@ public class SubjAltNameExt extends APolicyRule return defParams; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java index 7ff1a6c97..f74578394 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -45,32 +44,32 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Subject Alternative Name extension policy. - * + * * Adds the subject alternative name extension as configured. - * - * Two forms are supported. 1) For S/MIME certificates, email + * + * Two forms are supported. 1) For S/MIME certificates, email * addresses are copied from data stored in the request by the - * authentication component. Both 'e' and 'altEmail' are supported + * authentication component. Both 'e' and 'altEmail' are supported * so that both the primary address and alternative forms may be - * certified. Only the primary goes in the subjectName position (which + * certified. Only the primary goes in the subjectName position (which * should be phased out). - * + * * e * mailAlternateAddress * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class SubjectAltNameExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { // (standard says SHOULD be marked critical if included.) protected static final String PROP_CRITICAL = "critical"; protected static final boolean DEF_CRITICAL = false; @@ -89,11 +88,11 @@ public class SubjectAltNameExt extends APolicyRule // default params. mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); mDefParams.addElement( - IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + - IGeneralNameUtil.DEF_NUM_GENERALNAMES); + IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + + IGeneralNameUtil.DEF_NUM_GENERALNAMES); for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { CMS.getSubjAltNameConfigDefaultParams( - IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); + IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); } } @@ -107,16 +106,15 @@ public class SubjectAltNameExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // get criticality @@ -127,11 +125,11 @@ public class SubjectAltNameExt extends APolicyRule IPolicyProcessor.PROP_ENABLE, false); // get general names configuration. - mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); + mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); if (mNumGNs <= 0) { throw new EBaseException( - CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", - IGeneralNameUtil.PROP_NUM_GENERALNAMES)); + CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", + IGeneralNameUtil.PROP_NUM_GENERALNAMES)); } mGNs = new ISubjAltNameConfig[mNumGNs]; for (int i = 0; i < mNumGNs; i++) { @@ -144,7 +142,7 @@ public class SubjectAltNameExt extends APolicyRule // init instance params. mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement( - IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + mNumGNs); + IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + mNumGNs); for (int j = 0; j < mGNs.length; j++) { mGNs[j].getInstanceParams(mInstanceParams); } @@ -152,21 +150,21 @@ public class SubjectAltNameExt extends APolicyRule /** * Adds the subject alternative names extension if not set already. - * + * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // Find the X509CertInfo object in the request - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -186,7 +184,7 @@ public class SubjectAltNameExt extends APolicyRule try { // Find the extensions in the certInfo CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); // Remove any previously computed version of the extension // unless it is from RA. If from RA, accept what RA put in @@ -194,7 +192,7 @@ public class SubjectAltNameExt extends APolicyRule if (extensions != null) { String sourceId = req.getSourceId(); - if (sourceId != null && sourceId.length() > 0) + if (sourceId != null && sourceId.length() > 0) return res; // accepted try { extensions.delete(SubjectAlternativeNameExtension.NAME); @@ -223,8 +221,8 @@ public class SubjectAltNameExt extends APolicyRule } // nothing was found in request to put into extension - if (gns.size() == 0) - return res; // accepted + if (gns.size() == 0) + return res; // accepted String subject = certInfo.get(X509CertInfo.SUBJECT).toString(); @@ -233,10 +231,9 @@ public class SubjectAltNameExt extends APolicyRule if (subject.equals("")) { curCritical = true; } - + // make the extension - SubjectAlternativeNameExtension - sa = new SubjectAlternativeNameExtension(curCritical, gns); + SubjectAlternativeNameExtension sa = new SubjectAlternativeNameExtension(curCritical, gns); // add it to certInfo. if (extensions == null) @@ -248,19 +245,19 @@ public class SubjectAltNameExt extends APolicyRule } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Internal Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Internal Error"); return PolicyResult.REJECTED; // unrecoverable error. } } @@ -268,17 +265,17 @@ public class SubjectAltNameExt extends APolicyRule /** * Create a new SET of extensions in the certificate info * object. - * + * * This should be a method in the X509CertInfo object */ - protected CertificateExtensions - createCertificateExtensions(X509CertInfo certInfo) - throws IOException, CertificateException { + protected CertificateExtensions + createCertificateExtensions(X509CertInfo certInfo) + throws IOException, CertificateException { CertificateExtensions extensions; // Force version to V3 - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); @@ -288,19 +285,19 @@ public class SubjectAltNameExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } @@ -313,22 +310,21 @@ public class SubjectAltNameExt extends APolicyRule info.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES_INFO); for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { CMS.getSubjAltNameConfigExtendedPluginInfo( - IGeneralNameUtil.PROP_GENERALNAME + i, info); + IGeneralNameUtil.PROP_GENERALNAME + i, info); } info.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-subjaltname"); + ";configuration-policyrules-subjaltname"); info.addElement(IExtendedPluginInfo.HELP_TEXT + - ";This policy inserts the Subject Alternative Name " + - "Extension into the certificate. See RFC 2459 (4.2.1.7). " + - "* Note: you probably want to use this policy in " + - "conjunction with an authentication manager which sets " + - "the 'mail' or 'mailalternateaddress' values in the authToken. " + - "See the 'ldapStringAttrs' parameter in the Directory-based " + - "authentication plugin"); + ";This policy inserts the Subject Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.7). " + + "* Note: you probably want to use this policy in " + + "conjunction with an authentication manager which sets " + + "the 'mail' or 'mailalternateaddress' values in the authToken. " + + "See the 'ldapStringAttrs' parameter in the Directory-based " + + "authentication plugin"); mExtendedPluginInfo = new String[info.size()]; info.copyInto(mExtendedPluginInfo); return mExtendedPluginInfo; } } - diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java index be858c9f0..26009141c 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -45,20 +44,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Policy to add the subject directory attributes extension. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubjectDirectoryAttributesExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { +public class SubjectDirectoryAttributesExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_ATTRIBUTE = "attribute"; protected static final String PROP_NUM_ATTRIBUTES = "numAttributes"; @@ -75,7 +74,7 @@ public class SubjectDirectoryAttributesExt extends APolicyRule protected SubjectDirAttributesExtension mExt = null; protected Vector mParams = new Vector(); - private String[] mEPI = null; // extended plugin info + private String[] mEPI = null; // extended plugin info protected static Vector mDefParams = new Vector(); static { @@ -85,16 +84,16 @@ public class SubjectDirectoryAttributesExt extends APolicyRule public SubjectDirectoryAttributesExt() { NAME = "SubjectDirectoryAttributesExtPolicy"; DESC = "Sets Subject Directory Attributes Extension in certificates."; - setExtendedPluginInfo(); + setExtendedPluginInfo(); } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { boolean enabled = config.getBoolean("enabled", false); mConfig = config; - mCritical = mConfig.getBoolean(PROP_CRITICAL, false); + mCritical = mConfig.getBoolean(PROP_CRITICAL, false); mNumAttributes = mConfig.getInteger(PROP_NUM_ATTRIBUTES, DEF_NUM_ATTRIBUTES); if (mNumAttributes < 1) { EBaseException ex = new EBaseException( @@ -110,14 +109,14 @@ public class SubjectDirectoryAttributesExt extends APolicyRule mAttributes[i] = new AttributeConfig(name, c, enabled); } - if (enabled) { + if (enabled) { try { mExt = formExt(null); } catch (IOException e) { log(ILogger.LL_FAILURE, NAME + " Error: " + e.getMessage()); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "Error forming Subject Directory Attributes Extension. " + - "See log file for details.")); + "See log file for details.")); } } setInstanceParams(); @@ -126,7 +125,7 @@ public class SubjectDirectoryAttributesExt extends APolicyRule public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -136,7 +135,7 @@ public class SubjectDirectoryAttributesExt extends APolicyRule for (int i = 0; i < ci.length; i++) { PolicyResult r = applyCert(req, ci[i]); - if (r == PolicyResult.REJECTED) + if (r == PolicyResult.REJECTED) return r; } return PolicyResult.ACCEPTED; @@ -153,7 +152,7 @@ public class SubjectDirectoryAttributesExt extends APolicyRule if (extensions == null) { extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { try { @@ -173,7 +172,7 @@ public class SubjectDirectoryAttributesExt extends APolicyRule } else { SubjectDirAttributesExtension ext = formExt(req); - if (ext != null) + if (ext != null) extensions.set(SubjectDirAttributesExtension.NAME, formExt(req)); } return PolicyResult.ACCEPTED; @@ -181,14 +180,14 @@ public class SubjectDirectoryAttributesExt extends APolicyRule log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "IOException Error"); + NAME, "IOException Error"); return PolicyResult.REJECTED; - } + } } public Vector getInstanceParams() { @@ -200,12 +199,12 @@ public class SubjectDirectoryAttributesExt extends APolicyRule } public String[] getExtendedPluginInfo(Locale locale) { - return mEPI; // inited in the constructor. + return mEPI; // inited in the constructor. } private void setInstanceParams() { - mParams.addElement(PROP_CRITICAL + "=" + mCritical); - mParams.addElement(PROP_NUM_ATTRIBUTES + "=" + mNumAttributes); + mParams.addElement(PROP_CRITICAL + "=" + mCritical); + mParams.addElement(PROP_NUM_ATTRIBUTES + "=" + mNumAttributes); for (int i = 0; i < mNumAttributes; i++) { mAttributes[i].getInstanceParams(mParams); } @@ -216,8 +215,8 @@ public class SubjectDirectoryAttributesExt extends APolicyRule } private static void setDefaultParams() { - mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefParams.addElement(PROP_NUM_ATTRIBUTES + "=" + DEF_NUM_ATTRIBUTES); + mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); + mDefParams.addElement(PROP_NUM_ATTRIBUTES + "=" + DEF_NUM_ATTRIBUTES); for (int i = 0; i < DEF_NUM_ATTRIBUTES; i++) { AttributeConfig.getDefaultParams(PROP_ATTRIBUTE + i, mDefParams); } @@ -227,32 +226,31 @@ public class SubjectDirectoryAttributesExt extends APolicyRule Vector v = new Vector(); v.addElement(PROP_CRITICAL + ";boolean;" + - "RFC 2459 recommendation: MUST be non-critical."); + "RFC 2459 recommendation: MUST be non-critical."); v.addElement(PROP_NUM_ATTRIBUTES + ";number;" + - "Number of Attributes in the extension."); + "Number of Attributes in the extension."); for (int i = 0; i < MAX_NUM_ATTRIBUTES; i++) { AttributeConfig.getExtendedPluginInfo(PROP_ATTRIBUTE + i, v); } v.addElement(IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-subjectdirectoryattributes"); + ";configuration-policyrules-subjectdirectoryattributes"); v.addElement(IExtendedPluginInfo.HELP_TEXT + - ";Adds Subject Directory Attributes extension. See RFC 2459 (4.2.1.9). It's not recommended as an essential part of the profile, but may be used in local environments."); + ";Adds Subject Directory Attributes extension. See RFC 2459 (4.2.1.9). It's not recommended as an essential part of the profile, but may be used in local environments."); mEPI = com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } - private SubjectDirAttributesExtension formExt(IRequest req) - throws IOException { + private SubjectDirAttributesExtension formExt(IRequest req) + throws IOException { Vector attrs = new Vector(); // if we're called from init and one attribute is from request attribute // the ext can't be formed yet. if (req == null) { for (int i = 0; i < mNumAttributes; i++) { - if (mAttributes[i].mWhereToGetValue == - AttributeConfig.USE_REQUEST_ATTR) + if (mAttributes[i].mWhereToGetValue == AttributeConfig.USE_REQUEST_ATTR) return null; } } @@ -264,24 +262,23 @@ public class SubjectDirectoryAttributesExt extends APolicyRule // skip attribute if request attribute doesn't exist. Attribute a = mAttributes[i].formAttr(req); - if (a == null) + if (a == null) continue; attrs.addElement(a); } } - if (attrs.size() == 0) + if (attrs.size() == 0) return null; Attribute[] attrList = new Attribute[attrs.size()]; attrs.copyInto(attrList); - SubjectDirAttributesExtension ext = - new SubjectDirAttributesExtension(attrList); + SubjectDirAttributesExtension ext = + new SubjectDirAttributesExtension(attrList); return ext; } } - class AttributeConfig { protected static final String PROP_ATTRIBUTE_NAME = "attributeName"; @@ -304,21 +301,21 @@ class AttributeConfig { protected Attribute mAttribute = null; protected static final String ATTRIBUTE_NAME_INFO = "Attribute name."; - protected static final String WTG_VALUE_INFO = - PROP_WTG_VALUE + ";choice(" + USE_REQUEST_ATTR + "," + USE_FIXED + ");" + - "Get value from a request attribute or use a fixed value specified below."; - protected static final String VALUE_INFO = - PROP_VALUE + ";string;" + - "Request attribute name or a fixed value to put into the extension."; - - public AttributeConfig(String name, IConfigStore config, boolean enabled) - throws EBaseException { + protected static final String WTG_VALUE_INFO = + PROP_WTG_VALUE + ";choice(" + USE_REQUEST_ATTR + "," + USE_FIXED + ");" + + "Get value from a request attribute or use a fixed value specified below."; + protected static final String VALUE_INFO = + PROP_VALUE + ";string;" + + "Request attribute name or a fixed value to put into the extension."; + + public AttributeConfig(String name, IConfigStore config, boolean enabled) + throws EBaseException { X500NameAttrMap map = X500NameAttrMap.getDefault(); mName = name; mConfig = config; if (enabled) { - mAttributeName = mConfig.getString(PROP_ATTRIBUTE_NAME); + mAttributeName = mConfig.getString(PROP_ATTRIBUTE_NAME); mWhereToGetValue = mConfig.getString(PROP_WTG_VALUE); mValue = mConfig.getString(PROP_VALUE); } else { @@ -329,7 +326,7 @@ class AttributeConfig { if (mAttributeName.length() > 0) { mAttributeOID = map.getOid(mAttributeName); - if (mAttributeOID == null) + if (mAttributeOID == null) throw new EBaseException( CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", mAttributeName)); } @@ -344,8 +341,8 @@ class AttributeConfig { if (dot != -1) { mPrefix = mValue.substring(0, dot); mReqAttr = mValue.substring(dot + 1); - if (mPrefix == null || mPrefix.length() == 0 || - mReqAttr == null || mReqAttr.length() == 0) { + if (mPrefix == null || mPrefix.length() == 0 || + mReqAttr == null || mReqAttr.length() == 0) { throw new EBaseException( CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", mValue)); } @@ -356,17 +353,17 @@ class AttributeConfig { } else if (mWhereToGetValue.equalsIgnoreCase(USE_FIXED)) { mWhereToGetValue = USE_FIXED; if (mAttributeOID != null) { - try { - checkValue(mAttributeOID, mValue); - mAttribute = new Attribute(mAttributeOID, mValue); + try { + checkValue(mAttributeOID, mValue); + mAttribute = new Attribute(mAttributeOID, mValue); } catch (Exception e) { throw new EBaseException( CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - mAttributeName, e.getMessage())); + mAttributeName, e.getMessage())); } } } else if (enabled || mWhereToGetValue.length() > 0) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_VALUE_FOR_TYPE", PROP_WTG_VALUE, + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_VALUE_FOR_TYPE", PROP_WTG_VALUE, "Must be either '" + USE_REQUEST_ATTR + "' or '" + USE_FIXED + "'.")); } } @@ -384,7 +381,7 @@ class AttributeConfig { String attrChoices = getAllNames(); v.addElement(nameDot + PROP_ATTRIBUTE_NAME + ";choice(" + attrChoices + ");" + - ATTRIBUTE_NAME_INFO); + ATTRIBUTE_NAME_INFO); v.addElement(nameDot + WTG_VALUE_INFO); v.addElement(nameDot + VALUE_INFO); } @@ -397,14 +394,14 @@ class AttributeConfig { v.addElement(nameDot + PROP_VALUE + "=" + mValue); } - public Attribute formAttr(IRequest req) - throws IOException { + public Attribute formAttr(IRequest req) + throws IOException { String val = req.getExtDataInString(mPrefix, mReqAttr); if (val == null || val.length() == 0) { return null; } - checkValue(mAttributeOID, val); + checkValue(mAttributeOID, val); return new Attribute(mAttributeOID, val); } @@ -420,8 +417,8 @@ class AttributeConfig { return sb.toString(); } - private static void checkValue(ObjectIdentifier oid, String val) - throws IOException { + private static void checkValue(ObjectIdentifier oid, String val) + throws IOException { AVAValueConverter c = X500NameAttrMap.getDefault().getValueConverter(oid); DerValue derval; diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java index 0c763b8aa..73649dd61 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -46,21 +45,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Subject Public Key Extension Policy - * Adds the subject public key id extension to certificates. + * Adds the subject public key id extension to certificates. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class SubjectKeyIdentifierExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_KEYID_TYPE = "keyIdentifierType"; protected static final String PROP_REQATTR_NAME = "requestAttrName"; @@ -102,17 +101,15 @@ public class SubjectKeyIdentifierExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate= - * ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate= ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; mEnabled = mConfig.getBoolean( @@ -126,26 +123,26 @@ public class SubjectKeyIdentifierExt extends APolicyRule */ // parse key id type - if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SHA1)) + if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SHA1)) mKeyIdType = KEYID_TYPE_SHA1; - else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_TYPEFIELD)) + else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_TYPEFIELD)) mKeyIdType = KEYID_TYPE_TYPEFIELD; - /* - else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_REQATTR) - mKeyIdType = KEYID_TYPE_REQATTR; - */ - else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SPKISHA1)) + /* + else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_REQATTR) + mKeyIdType = KEYID_TYPE_REQATTR; + */ + else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SPKISHA1)) mKeyIdType = KEYID_TYPE_SPKISHA1; else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("KRA_UNKNOWN_KEY_ID_TYPE", mKeyIdType)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - PROP_KEYID_TYPE, + log(ILogger.LL_FAILURE, + CMS.getLogMessage("KRA_UNKNOWN_KEY_ID_TYPE", mKeyIdType)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_KEYID_TYPE, "value must be one of " + - KEYID_TYPE_SHA1 + ", " + - KEYID_TYPE_TYPEFIELD + ", " + - KEYID_TYPE_SPKISHA1)); + KEYID_TYPE_SHA1 + ", " + + KEYID_TYPE_TYPEFIELD + ", " + + KEYID_TYPE_SPKISHA1)); } // form instance params @@ -160,18 +157,18 @@ public class SubjectKeyIdentifierExt extends APolicyRule /** * Adds Subject Key identifier Extension to a certificate. * If the extension is already there, accept it. - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { // get certInfo from request. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -189,7 +186,7 @@ public class SubjectKeyIdentifierExt extends APolicyRule // if subject key id extension already exists, leave it if approved. SubjectKeyIdentifierExtension subjectKeyIdExt = null; CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { @@ -202,14 +199,14 @@ public class SubjectKeyIdentifierExt extends APolicyRule if (subjectKeyIdExt != null) { if (agentApproved(req)) { CMS.debug( - "SubjectKeyIdentifierExt: agent approved request id " + req.getRequestId() + - " already has subject key id extension with value " + - subjectKeyIdExt); + "SubjectKeyIdentifierExt: agent approved request id " + req.getRequestId() + + " already has subject key id extension with value " + + subjectKeyIdExt); return PolicyResult.ACCEPTED; } else { CMS.debug( - "SubjectKeyIdentifierExt: request id from user " + req.getRequestId() + - " had subject key identifier - deleted to be replaced"); + "SubjectKeyIdentifierExt: request id from user " + req.getRequestId() + + " had subject key identifier - deleted to be replaced"); extensions.delete(SubjectKeyIdentifierExtension.NAME); } } @@ -217,38 +214,38 @@ public class SubjectKeyIdentifierExt extends APolicyRule // create subject key id extension. KeyIdentifier keyId = null; - try { - keyId = formKeyIdentifier(certInfo, req); + try { + keyId = formKeyIdentifier(certInfo, req); } catch (EBaseException e) { setPolicyException(req, e); return PolicyResult.REJECTED; } - subjectKeyIdExt = + subjectKeyIdExt = new SubjectKeyIdentifierExtension( - mCritical, keyId.getIdentifier()); + mCritical, keyId.getIdentifier()); // add subject key id extension. if (extensions == null) { certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } extensions.set( - SubjectKeyIdentifierExtension.NAME, subjectKeyIdExt); + SubjectKeyIdentifierExtension.NAME, subjectKeyIdExt); CMS.debug( - "SubjectKeyIdentifierExt: added subject key id ext to request " + req.getRequestId()); + "SubjectKeyIdentifierExt: added subject key id ext to request " + req.getRequestId()); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR,NAME", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR,NAME", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } @@ -256,12 +253,13 @@ public class SubjectKeyIdentifierExt extends APolicyRule /** * Form the Key Identifier in the Subject Key Identifier extension. * <p> + * * @param certInfo Certificate Info * @param req request * @return A Key Identifier. */ protected KeyIdentifier formKeyIdentifier( - X509CertInfo certInfo, IRequest req) throws EBaseException { + X509CertInfo certInfo, IRequest req) throws EBaseException { KeyIdentifier keyId = null; if (mKeyIdType == KEYID_TYPE_SHA1) { @@ -269,10 +267,10 @@ public class SubjectKeyIdentifierExt extends APolicyRule } else if (mKeyIdType == KEYID_TYPE_TYPEFIELD) { keyId = formTypeFieldKeyId(certInfo); } /* - else if (mKeyIdType == KEYID_TYPE_REQATTR) { - keyId = formReqAttrKeyId(certInfo, req); - } - */ else if (mKeyIdType == KEYID_TYPE_SPKISHA1) { + else if (mKeyIdType == KEYID_TYPE_REQATTR) { + keyId = formReqAttrKeyId(certInfo, req); + } + */else if (mKeyIdType == KEYID_TYPE_SPKISHA1) { keyId = formSpkiSHA1KeyId(certInfo); } else { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", @@ -282,22 +280,23 @@ public class SubjectKeyIdentifierExt extends APolicyRule } /** - * Form key identifier from a type field value of 0100 followed by - * the least significate 60 bits of the sha-1 hash of the subject - * public key BIT STRING in accordance with RFC 2459. + * Form key identifier from a type field value of 0100 followed by + * the least significate 60 bits of the sha-1 hash of the subject + * public key BIT STRING in accordance with RFC 2459. * <p> + * * @param certInfo - certificate info * @return A Key Identifier with value formulatd as described. */ protected KeyIdentifier formTypeFieldKeyId(X509CertInfo certInfo) - throws EBaseException { + throws EBaseException { KeyIdentifier keyId = null; X509Key key = null; try { CertificateX509Key certKey = - (CertificateX509Key) certInfo.get(X509CertInfo.KEY); + (CertificateX509Key) certInfo.get(X509CertInfo.KEY); if (certKey == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME)); @@ -309,13 +308,13 @@ public class SubjectKeyIdentifierExt extends APolicyRule throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME)); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString())); throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString())); throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); } @@ -330,8 +329,8 @@ public class SubjectKeyIdentifierExt extends APolicyRule octetString[0] &= (0x08f & octetString[0]); keyId = new KeyIdentifier(octetString); } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME)); throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); } @@ -340,40 +339,39 @@ public class SubjectKeyIdentifierExt extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefaultParams; } /** - * Gets extended plugin info for pretty Console displays. + * Gets extended plugin info for pretty Console displays. */ public String[] getExtendedPluginInfo(Locale locale) { String[] params = { PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST NOT be marked critical.", PROP_KEYID_TYPE + ";" + - "choice(" + KEYID_TYPE_SHA1 + "," + - KEYID_TYPE_TYPEFIELD + "," + - KEYID_TYPE_SPKISHA1 + ");" + - "Method to derive the Key Identifier.", + "choice(" + KEYID_TYPE_SHA1 + "," + + KEYID_TYPE_TYPEFIELD + "," + + KEYID_TYPE_SPKISHA1 + ");" + + "Method to derive the Key Identifier.", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-subjectkeyidentifier", + ";configuration-policyrules-subjectkeyidentifier", IExtendedPluginInfo.HELP_TEXT + - ";Adds the Subject Key Identifier extension. See RFC 2459 (4.2.1.2)" + ";Adds the Subject Key Identifier extension. See RFC 2459 (4.2.1.2)" }; return params; } } - |