summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java240
1 files changed, 240 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java
new file mode 100644
index 000000000..2ae8e5346
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java
@@ -0,0 +1,240 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+
+import java.util.*;
+import java.io.*;
+import com.netscape.certsrv.base.*;
+import com.netscape.certsrv.profile.*;
+import com.netscape.certsrv.request.*;
+import com.netscape.certsrv.property.*;
+import com.netscape.certsrv.apps.*;
+import com.netscape.cms.profile.common.*;
+import com.netscape.cms.profile.def.*;
+
+import netscape.security.x509.*;
+import netscape.security.extensions.*;
+
+
+/**
+ * This class implements the Netscape certificate type extension constraint.
+ * It checks if the Netscape certificate type extension in the certificate
+ * template satisfies the criteria.
+ *
+ * @version $Revision$, $Date$
+ */
+public class NSCertTypeExtConstraint extends EnrollConstraint {
+
+ public static final String CONFIG_CRITICAL = "nsCertCritical";
+ public static final String CONFIG_SSL_CLIENT = "nsCertSSLClient";
+ public static final String CONFIG_SSL_SERVER = "nsCertSSLServer";
+ public static final String CONFIG_EMAIL = "nsCertEmail";
+ public static final String CONFIG_OBJECT_SIGNING = "nsCertObjectSigning";
+ public static final String CONFIG_SSL_CA = "nsCertSSLCA";
+ public static final String CONFIG_EMAIL_CA = "nsCertEmailCA";
+ public static final String CONFIG_OBJECT_SIGNING_CA = "nsCertObjectSigningCA";
+
+ public NSCertTypeExtConstraint() {
+ super();
+ addConfigName(CONFIG_CRITICAL);
+ addConfigName(CONFIG_SSL_CLIENT);
+ addConfigName(CONFIG_SSL_SERVER);
+ addConfigName(CONFIG_EMAIL);
+ addConfigName(CONFIG_OBJECT_SIGNING);
+ addConfigName(CONFIG_SSL_CA);
+ addConfigName(CONFIG_EMAIL_CA);
+ addConfigName(CONFIG_OBJECT_SIGNING_CA);
+ }
+
+ public void init(IProfile profile, IConfigStore config)
+ throws EProfileException {
+ super.init(profile, config);
+ }
+
+ public IDescriptor getConfigDescriptor(Locale locale, String name) {
+ if (name.equals(CONFIG_CRITICAL)) {
+ return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+ "-",
+ CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL"));
+ } else if (name.equals(CONFIG_SSL_CLIENT)) {
+ return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+ "-",
+ CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT"));
+ } else if (name.equals(CONFIG_SSL_SERVER)) {
+ return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+ "-",
+ CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER"));
+ } else if (name.equals(CONFIG_EMAIL)) {
+ return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+ "-",
+ CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL"));
+ } else if (name.equals(CONFIG_OBJECT_SIGNING)) {
+ return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+ "-",
+ CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING"));
+ } else if (name.equals(CONFIG_SSL_CA)) {
+ return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+ "-",
+ CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA"));
+ } else if (name.equals(CONFIG_EMAIL_CA)) {
+ return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+ "-",
+ CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA"));
+ } else if (name.equals(CONFIG_OBJECT_SIGNING_CA)) {
+ return new Descriptor(IDescriptor.CHOICE, "true,false,-",
+ "-",
+ CMS.getUserMessage(locale,
+ "CMS_PROFILE_OBJECT_SIGNING_CA"));
+ }
+ return null;
+ }
+
+ /**
+ * Validates the request. The request is not modified
+ * during the validation.
+ */
+ public void validate(IRequest request, X509CertInfo info)
+ throws ERejectException {
+ NSCertTypeExtension ext = (NSCertTypeExtension)
+ getExtension(NSCertTypeExtension.CertType_Id.toString(), info);
+
+ if (ext == null) {
+ throw new ERejectException(
+ CMS.getUserMessage(
+ getLocale(request),
+ "CMS_PROFILE_EXTENSION_NOT_FOUND",
+ NSCertTypeExtension.CertType_Id.toString()));
+ }
+
+ String value = getConfig(CONFIG_CRITICAL);
+
+ if (!isOptional(value)) {
+ boolean critical = getBoolean(value);
+
+ if (critical != ext.isCritical()) {
+ throw new ERejectException(
+ CMS.getUserMessage(getLocale(request),
+ "CMS_PROFILE_CRITICAL_NOT_MATCHED"));
+ }
+ }
+ value = getConfig(CONFIG_SSL_CLIENT);
+ if (!isOptional(value)) {
+ boolean bit = getBoolean(value);
+
+ if (bit != ext.isSet(0)) {
+ throw new ERejectException(
+ CMS.getUserMessage(getLocale(request),
+ "CMS_PROFILE_SSL_CLIENT_NOT_MATCHED",
+ value));
+ }
+ }
+ value = getConfig(CONFIG_SSL_SERVER);
+ if (!isOptional(value)) {
+ boolean bit = getBoolean(value);
+
+ if (bit != ext.isSet(1)) {
+ throw new ERejectException(
+ CMS.getUserMessage(getLocale(request),
+ "CMS_PROFILE_SSL_SERVER_NOT_MATCHED",
+ value));
+ }
+ }
+ value = getConfig(CONFIG_EMAIL);
+ if (!isOptional(value)) {
+ boolean bit = getBoolean(value);
+
+ if (bit != ext.isSet(2)) {
+ throw new ERejectException(
+ CMS.getUserMessage(getLocale(request),
+ "CMS_PROFILE_EMAIL_NOT_MATCHED",
+ value));
+ }
+ }
+ value = getConfig(CONFIG_OBJECT_SIGNING);
+ if (!isOptional(value)) {
+ boolean bit = getBoolean(value);
+
+ if (bit != ext.isSet(3)) {
+ throw new ERejectException(
+ CMS.getUserMessage(getLocale(request),
+ "CMS_PROFILE_OBJECT_SIGNING_NOT_MATCHED",
+ value));
+ }
+ }
+ value = getConfig(CONFIG_SSL_CA);
+ if (!isOptional(value)) {
+ boolean bit = getBoolean(value);
+
+ if (bit != ext.isSet(4)) {
+ throw new ERejectException(
+ CMS.getUserMessage(getLocale(request),
+ "CMS_PROFILE_SSL_CA_NOT_MATCHED",
+ value));
+ }
+ }
+ value = getConfig(CONFIG_EMAIL_CA);
+ if (!isOptional(value)) {
+ boolean bit = getBoolean(value);
+
+ if (bit != ext.isSet(5)) {
+ throw new ERejectException(
+ CMS.getUserMessage(getLocale(request),
+ "CMS_PROFILE_EMAIL_CA_NOT_MATCHED",
+ value));
+ }
+ }
+ value = getConfig(CONFIG_OBJECT_SIGNING_CA);
+ if (!isOptional(value)) {
+ boolean bit = getBoolean(value);
+
+ if (bit != ext.isSet(6)) {
+ throw new ERejectException(
+ CMS.getUserMessage(getLocale(request),
+ "CMS_PROFILE_OBJECT_SIGNING_CA_NOT_MATCHED",
+ value));
+ }
+ }
+ }
+
+ public String getText(Locale locale) {
+ String params[] = {
+ getConfig(CONFIG_CRITICAL),
+ getConfig(CONFIG_SSL_CLIENT),
+ getConfig(CONFIG_SSL_SERVER),
+ getConfig(CONFIG_EMAIL),
+ getConfig(CONFIG_OBJECT_SIGNING),
+ getConfig(CONFIG_SSL_CA),
+ getConfig(CONFIG_EMAIL_CA),
+ getConfig(CONFIG_OBJECT_SIGNING_CA)
+ };
+
+ return CMS.getUserMessage(locale,
+ "CMS_PROFILE_CONSTRAINT_NS_CERT_EXT_TEXT", params);
+ }
+
+ public boolean isApplicable(IPolicyDefault def) {
+ if (def instanceof NoDefault)
+ return true;
+ if (def instanceof NSCertTypeExtDefault)
+ return true;
+ if (def instanceof UserExtensionDefault)
+ return true;
+ return false;
+ }
+}
generated by cgit (git 2.34.1) at 2024-04-18 17:08:59 +0000