diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/profile/constraint')
16 files changed, 1113 insertions, 1052 deletions
diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java index 4e4c2f603..8c9fd70d6 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.io.IOException; import java.util.Locale; @@ -40,24 +39,18 @@ import com.netscape.cms.profile.def.BasicConstraintsExtDefault; import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.UserExtensionDefault; - /** - * This class implements the basic constraints extension constraint. - * It checks if the basic constraint in the certificate - * template satisfies the criteria. - * + * This class implements the basic constraints extension constraint. It checks + * if the basic constraint in the certificate template satisfies the criteria. + * * @version $Revision$, $Date$ */ public class BasicConstraintsExtConstraint extends EnrollConstraint { - public static final String CONFIG_CRITICAL = - "basicConstraintsCritical"; - public static final String CONFIG_IS_CA = - "basicConstraintsIsCA"; - public static final String CONFIG_MIN_PATH_LEN = - "basicConstraintsMinPathLen"; - public static final String CONFIG_MAX_PATH_LEN = - "basicConstraintsMaxPathLen"; + public static final String CONFIG_CRITICAL = "basicConstraintsCritical"; + public static final String CONFIG_IS_CA = "basicConstraintsIsCA"; + public static final String CONFIG_MIN_PATH_LEN = "basicConstraintsMinPathLen"; + public static final String CONFIG_MAX_PATH_LEN = "basicConstraintsMaxPathLen"; public BasicConstraintsExtConstraint() { super(); @@ -71,50 +64,42 @@ public class BasicConstraintsExtConstraint extends EnrollConstraint { * Initializes this constraint plugin. */ public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public IDescriptor getConfigDescriptor(Locale locale, String name) { - if (name.equals(CONFIG_CRITICAL)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); } else if (name.equals(CONFIG_IS_CA)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_IS_CA")); } else if (name.equals(CONFIG_MIN_PATH_LEN)) { - return new Descriptor(IDescriptor.INTEGER, null, - "-1", + return new Descriptor(IDescriptor.INTEGER, null, "-1", CMS.getUserMessage(locale, "CMS_PROFILE_MIN_PATH_LEN")); } else if (name.equals(CONFIG_MAX_PATH_LEN)) { - return new Descriptor(IDescriptor.INTEGER, null, - "100", + return new Descriptor(IDescriptor.INTEGER, null, "100", CMS.getUserMessage(locale, "CMS_PROFILE_MAX_PATH_LEN")); } return null; } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { + throws ERejectException { CertificateExtensions exts = null; try { - BasicConstraintsExtension ext = (BasicConstraintsExtension) - getExtension(PKIXExtensions.BasicConstraints_Id.toString(), - info); + BasicConstraintsExtension ext = (BasicConstraintsExtension) getExtension( + PKIXExtensions.BasicConstraints_Id.toString(), info); if (ext == null) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_EXTENSION_NOT_FOUND", - PKIXExtensions.BasicConstraints_Id.toString())); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_EXTENSION_NOT_FOUND", + PKIXExtensions.BasicConstraints_Id.toString())); } // check criticality @@ -124,67 +109,66 @@ public class BasicConstraintsExtConstraint extends EnrollConstraint { boolean critical = getBoolean(value); if (critical != ext.isCritical()) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_CRITICAL_NOT_MATCHED")); } - } + } value = getConfig(CONFIG_IS_CA); if (!isOptional(value)) { boolean isCA = getBoolean(value); - Boolean extIsCA = (Boolean) ext.get(BasicConstraintsExtension.IS_CA); + Boolean extIsCA = (Boolean) ext + .get(BasicConstraintsExtension.IS_CA); if (isCA != extIsCA.booleanValue()) { throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_IS_CA")); + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_IS_CA")); } - } + } value = getConfig(CONFIG_MIN_PATH_LEN); if (!isOptional(value)) { int pathLen = getInt(value); - Integer extPathLen = (Integer) ext.get(BasicConstraintsExtension.PATH_LEN); + Integer extPathLen = (Integer) ext + .get(BasicConstraintsExtension.PATH_LEN); if (pathLen > extPathLen.intValue()) { - CMS.debug("BasicCOnstraintsExtConstraint: pathLen=" + pathLen + " > extPathLen=" + extPathLen); + CMS.debug("BasicCOnstraintsExtConstraint: pathLen=" + + pathLen + " > extPathLen=" + extPathLen); throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MIN_PATH")); + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MIN_PATH")); } } value = getConfig(CONFIG_MAX_PATH_LEN); if (!isOptional(value)) { int pathLen = getInt(value); - Integer extPathLen = (Integer) ext.get(BasicConstraintsExtension.PATH_LEN); + Integer extPathLen = (Integer) ext + .get(BasicConstraintsExtension.PATH_LEN); if (pathLen < extPathLen.intValue()) { - CMS.debug("BasicCOnstraintsExtConstraint: pathLen=" + pathLen + " < extPathLen=" + extPathLen); + CMS.debug("BasicCOnstraintsExtConstraint: pathLen=" + + pathLen + " < extPathLen=" + extPathLen); throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MAX_PATH")); + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MAX_PATH")); } } } catch (IOException e) { CMS.debug("BasicConstraintsExt: validate " + e.toString()); - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_EXTENSION_NOT_FOUND", - PKIXExtensions.BasicConstraints_Id.toString())); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + PKIXExtensions.BasicConstraints_Id.toString())); } } public String getText(Locale locale) { - String params[] = { - getConfig(CONFIG_CRITICAL), - getConfig(CONFIG_IS_CA), - getConfig(CONFIG_MIN_PATH_LEN), - getConfig(CONFIG_MAX_PATH_LEN) - }; - - return CMS.getUserMessage(locale, - "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_TEXT", - params); + String params[] = { getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_IS_CA), getConfig(CONFIG_MIN_PATH_LEN), + getConfig(CONFIG_MAX_PATH_LEN) }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_TEXT", params); } public boolean isApplicable(IPolicyDefault def) { @@ -197,19 +181,17 @@ public class BasicConstraintsExtConstraint extends EnrollConstraint { return false; } - public void setConfig(String name, String value) - throws EPropertyException { - + public void setConfig(String name, String value) throws EPropertyException { if (mConfig.getSubStore("params") == null) { CMS.debug("BasicConstraintsExt: mConfig.getSubStore is null"); // } else { - CMS.debug("BasicConstraintsExt: setConfig name " + name + " value " + value); + CMS.debug("BasicConstraintsExt: setConfig name " + name + " value " + + value); - if(name.equals(CONFIG_MAX_PATH_LEN)) - { + if (name.equals(CONFIG_MAX_PATH_LEN)) { String minPathLen = getConfig(CONFIG_MIN_PATH_LEN); @@ -217,13 +199,12 @@ public class BasicConstraintsExtConstraint extends EnrollConstraint { int maxLen = getInt(value); - if(minLen >= maxLen) { + if (minLen >= maxLen) { CMS.debug("BasicConstraintExt: minPathLen >= maxPathLen!"); throw new EPropertyException("bad value"); } - } mConfig.getSubStore("params").putString(name, value); } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java index 9759af73d..8b2eab44b 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java @@ -17,16 +17,13 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import netscape.security.x509.X509CertImpl; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.ca.ICertificateAuthority; - /** - * This class represents an abstract class for CA enrollment - * constraint. + * This class represents an abstract class for CA enrollment constraint. */ public abstract class CAEnrollConstraint extends EnrollConstraint { @@ -41,8 +38,8 @@ public abstract class CAEnrollConstraint extends EnrollConstraint { * Retrieves the CA certificate. */ public X509CertImpl getCACert() { - ICertificateAuthority ca = (ICertificateAuthority) - CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ICertificateAuthority ca = (ICertificateAuthority) CMS + .getSubsystem(CMS.SUBSYSTEM_CA); X509CertImpl caCert = ca.getCACert(); return caCert; diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java index 4d89e7391..17c6c34f5 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.io.IOException; import java.util.Date; import java.util.Locale; @@ -38,12 +37,10 @@ import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.UserValidityDefault; import com.netscape.cms.profile.def.ValidityDefault; - /** - * This class implements the validity constraint. - * It checks if the validity in the certificate - * template is within the CA's validity. - * + * This class implements the validity constraint. It checks if the validity in + * the certificate template is within the CA's validity. + * * @version $Revision$, $Date$ */ public class CAValidityConstraint extends CAEnrollConstraint { @@ -56,7 +53,7 @@ public class CAValidityConstraint extends CAEnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); X509CertImpl caCert = getCACert(); @@ -65,19 +62,18 @@ public class CAValidityConstraint extends CAEnrollConstraint { } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { + throws ERejectException { CMS.debug("CAValidityConstraint: validate start"); CertificateValidity v = null; try { v = (CertificateValidity) info.get(X509CertInfo.VALIDITY); } catch (Exception e) { - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_VALIDITY_NOT_FOUND")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_VALIDITY_NOT_FOUND")); } Date notBefore = null; @@ -85,8 +81,8 @@ public class CAValidityConstraint extends CAEnrollConstraint { notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE); } catch (IOException e) { CMS.debug("CAValidity: not before " + e.toString()); - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_INVALID_NOT_BEFORE")); } Date notAfter = null; @@ -94,37 +90,33 @@ public class CAValidityConstraint extends CAEnrollConstraint { notAfter = (Date) v.get(CertificateValidity.NOT_AFTER); } catch (IOException e) { CMS.debug("CAValidity: not after " + e.toString()); - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_INVALID_NOT_AFTER")); } if (mDefNotBefore != null) { - CMS.debug("ValidtyConstraint: notBefore=" + notBefore + - " defNotBefore=" + mDefNotBefore); + CMS.debug("ValidtyConstraint: notBefore=" + notBefore + + " defNotBefore=" + mDefNotBefore); if (notBefore.before(mDefNotBefore)) { throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE")); + getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE")); } } - CMS.debug("ValidtyConstraint: notAfter=" + notAfter + - " defNotAfter=" + mDefNotAfter); + CMS.debug("ValidtyConstraint: notAfter=" + notAfter + " defNotAfter=" + + mDefNotAfter); if (notAfter.after(mDefNotAfter)) { - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_INVALID_NOT_AFTER")); } CMS.debug("CAValidtyConstraint: validate end"); } public String getText(Locale locale) { - String params[] = { - mDefNotBefore.toString(), - mDefNotAfter.toString() - }; - - return CMS.getUserMessage(locale, - "CMS_PROFILE_CONSTRAINT_CA_VALIDITY_CONSTRAINT_TEXT", - params); + String params[] = { mDefNotBefore.toString(), mDefNotAfter.toString() }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_CA_VALIDITY_CONSTRAINT_TEXT", params); } public boolean isApplicable(IPolicyDefault def) { diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java index 0723a72c3..a4d1e4d91 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.util.Enumeration; import java.util.Locale; import java.util.Vector; @@ -39,10 +38,9 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; import com.netscape.cms.profile.common.EnrollProfile; - /** * This class implements the generic enrollment constraint. - * + * * @version $Revision$, $Date$ */ public abstract class EnrollConstraint implements IPolicyConstraint { @@ -72,16 +70,15 @@ public abstract class EnrollConstraint implements IPolicyConstraint { public Locale getLocale(IRequest request) { Locale locale = null; - String language = request.getExtDataInString( - EnrollProfile.REQUEST_LOCALE); + String language = request + .getExtDataInString(EnrollProfile.REQUEST_LOCALE); if (language != null) { locale = new Locale(language); } return locale; } - public void setConfig(String name, String value) - throws EPropertyException { + public void setConfig(String name, String value) throws EPropertyException { if (mConfig.getSubStore("params") == null) { // } else { @@ -105,46 +102,42 @@ public abstract class EnrollConstraint implements IPolicyConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { mConfig = config; } public IConfigStore getConfigStore() { return mConfig; - } + } /** - * Validates the request. The request is not modified - * during the validation. - * + * Validates the request. The request is not modified during the validation. + * * @param request enrollment request * @param info certificate template - * @exception ERejectException request is rejected due - * to violation of constraint + * @exception ERejectException request is rejected due to violation of + * constraint */ public abstract void validate(IRequest request, X509CertInfo info) - throws ERejectException; + throws ERejectException; /** - * Validates the request. The request is not modified - * during the validation. - * - * The current implementation of this method calls - * into the subclass's validate(request, info) - * method for validation checking. - * + * Validates the request. The request is not modified during the validation. + * + * The current implementation of this method calls into the subclass's + * validate(request, info) method for validation checking. + * * @param request request - * @exception ERejectException request is rejected due - * to violation of constraint + * @exception ERejectException request is rejected due to violation of + * constraint */ - public void validate(IRequest request) - throws ERejectException { + public void validate(IRequest request) throws ERejectException { String name = getClass().getName(); name = name.substring(name.lastIndexOf('.') + 1); CMS.debug(name + ": validate start"); - X509CertInfo info = - request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + X509CertInfo info = request + .getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); validate(request, info); @@ -168,8 +161,7 @@ public abstract class EnrollConstraint implements IPolicyConstraint { CertificateExtensions exts = null; try { - exts = (CertificateExtensions) - info.get(X509CertInfo.EXTENSIONS); + exts = (CertificateExtensions) info.get(X509CertInfo.EXTENSIONS); } catch (Exception e) { CMS.debug("EnrollConstraint: getExtension " + e.toString()); } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java index 539f4890f..88cfb5422 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.util.Enumeration; import java.util.Locale; import java.util.StringTokenizer; @@ -40,19 +39,17 @@ import com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault; import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.UserExtensionDefault; - /** - * This class implements the extended key usage extension constraint. - * It checks if the extended key usage extension in the certificate - * template satisfies the criteria. - * + * This class implements the extended key usage extension constraint. It checks + * if the extended key usage extension in the certificate template satisfies the + * criteria. + * * @version $Revision$, $Date$ */ public class ExtendedKeyUsageExtConstraint extends EnrollConstraint { public static final String CONFIG_CRITICAL = "exKeyUsageCritical"; - public static final String CONFIG_OIDS = - "exKeyUsageOIDs"; + public static final String CONFIG_OIDS = "exKeyUsageOIDs"; public ExtendedKeyUsageExtConstraint() { super(); @@ -61,38 +58,33 @@ public class ExtendedKeyUsageExtConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public IDescriptor getConfigDescriptor(Locale locale, String name) { - if (name.equals(CONFIG_CRITICAL)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); } else if (name.equals(CONFIG_OIDS)) { - return new Descriptor(IDescriptor.STRING, null, - null, + return new Descriptor(IDescriptor.STRING, null, null, CMS.getUserMessage(locale, "CMS_PROFILE_OIDS")); - } + } return null; } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { - ExtendedKeyUsageExtension ext = (ExtendedKeyUsageExtension) - getExtension(ExtendedKeyUsageExtension.OID, info); + throws ERejectException { + ExtendedKeyUsageExtension ext = (ExtendedKeyUsageExtension) getExtension( + ExtendedKeyUsageExtension.OID, info); if (ext == null) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_EXTENSION_NOT_FOUND", - ExtendedKeyUsageExtension.OID)); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + ExtendedKeyUsageExtension.OID)); } // check criticality @@ -102,12 +94,10 @@ public class ExtendedKeyUsageExtConstraint extends EnrollConstraint { boolean critical = getBoolean(value); if (critical != ext.isCritical()) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_CRITICAL_NOT_MATCHED")); } - } + } // Build local cache of configured OIDs Vector mCache = new Vector(); @@ -122,28 +112,22 @@ public class ExtendedKeyUsageExtConstraint extends EnrollConstraint { // check OIDs Enumeration e = ext.getOIDs(); - while (e.hasMoreElements()) { + while (e.hasMoreElements()) { ObjectIdentifier oid = (ObjectIdentifier) e.nextElement(); if (!mCache.contains(oid.toString())) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_OID_NOT_MATCHED", - oid.toString())); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_OID_NOT_MATCHED", + oid.toString())); } } } public String getText(Locale locale) { - String params[] = { - getConfig(CONFIG_CRITICAL), - getConfig(CONFIG_OIDS) - }; - - return CMS.getUserMessage(locale, - "CMS_PROFILE_CONSTRAINT_EXTENDED_KEY_EXT_TEXT", - params); + String params[] = { getConfig(CONFIG_CRITICAL), getConfig(CONFIG_OIDS) }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_EXTENDED_KEY_EXT_TEXT", params); } public boolean isApplicable(IPolicyDefault def) { diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java index cda51a07c..5680648cd 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.util.Locale; import netscape.security.x509.Extension; @@ -37,12 +36,10 @@ import com.netscape.cms.profile.def.EnrollExtDefault; import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.UserExtensionDefault; - /** - * This class implements the general extension constraint. - * It checks if the extension in the certificate - * template satisfies the criteria. - * + * This class implements the general extension constraint. It checks if the + * extension in the certificate template satisfies the criteria. + * * @version $Revision$, $Date$ */ public class ExtensionConstraint extends EnrollConstraint { @@ -57,83 +54,71 @@ public class ExtensionConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public void setConfig(String name, String value) - throws EPropertyException { + public void setConfig(String name, String value) throws EPropertyException { if (mConfig.getSubStore("params") == null) { CMS.debug("ExtensionConstraint: mConfig.getSubStore is null"); } else { - CMS.debug("ExtensionConstraint: setConfig name=" + name + - " value=" + value); - - if(name.equals(CONFIG_OID)) - { - try { - CMS.checkOID("", value); - } catch (Exception e) { - throw new EPropertyException( - CMS.getUserMessage("CMS_PROFILE_PROPERTY_ERROR", value)); - } + CMS.debug("ExtensionConstraint: setConfig name=" + name + " value=" + + value); + + if (name.equals(CONFIG_OID)) { + try { + CMS.checkOID("", value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_PROFILE_PROPERTY_ERROR", value)); + } } mConfig.getSubStore("params").putString(name, value); } } - public IDescriptor getConfigDescriptor(Locale locale, String name) { + public IDescriptor getConfigDescriptor(Locale locale, String name) { if (name.equals(CONFIG_CRITICAL)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); } else if (name.equals(CONFIG_OID)) { - return new Descriptor(IDescriptor.STRING, null, - null, + return new Descriptor(IDescriptor.STRING, null, null, CMS.getUserMessage(locale, "CMS_PROFILE_OID")); } return null; } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { + throws ERejectException { - Extension ext = getExtension(getConfig(CONFIG_OID), info); + Extension ext = getExtension(getConfig(CONFIG_OID), info); if (ext == null) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_EXTENSION_NOT_FOUND", - getConfig(CONFIG_OID))); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", getConfig(CONFIG_OID))); } - // check criticality + // check criticality String value = getConfig(CONFIG_CRITICAL); if (!isOptional(value)) { boolean critical = getBoolean(value); - if (critical != ext.isCritical()) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + if (critical != ext.isCritical()) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_CRITICAL_NOT_MATCHED")); } - } + } } public String getText(Locale locale) { - String params[] = { - getConfig(CONFIG_CRITICAL), - getConfig(CONFIG_OID) - }; + String params[] = { getConfig(CONFIG_CRITICAL), getConfig(CONFIG_OID) }; - return CMS.getUserMessage(locale, + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_EXTENSION_TEXT", params); } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java index 56ec0adf1..1952ba168 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.math.BigInteger; import java.security.interfaces.DSAParams; import java.util.HashMap; @@ -44,11 +43,9 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.UserKeyDefault; - /** - * This constraint is to check the key type and - * key length. - * + * This constraint is to check the key type and key length. + * * @version $Revision$, $Date$ */ @SuppressWarnings("serial") @@ -57,72 +54,306 @@ public class KeyConstraint extends EnrollConstraint { public static final String CONFIG_KEY_TYPE = "keyType"; // (EC, RSA) public static final String CONFIG_KEY_PARAMETERS = "keyParameters"; - private static final String[] ecCurves = {"nistp256","nistp384","nistp521","sect163k1","nistk163","sect163r1","sect163r2", - "nistb163","sect193r1","sect193r2","sect233k1","nistk233","sect233r1","nistb233","sect239k1","sect283k1","nistk283", - "sect283r1","nistb283","sect409k1","nistk409","sect409r1","nistb409","sect571k1","nistk571","sect571r1","nistb571", - "secp160k1","secp160r1","secp160r2","secp192k1","secp192r1","nistp192","secp224k1","secp224r1","nistp224","secp256k1", - "secp256r1","secp384r1","secp521r1","prime192v1","prime192v2","prime192v3","prime239v1","prime239v2","prime239v3","c2pnb163v1", - "c2pnb163v2","c2pnb163v3","c2pnb176v1","c2tnb191v1","c2tnb191v2","c2tnb191v3","c2pnb208w1","c2tnb239v1","c2tnb239v2","c2tnb239v3", - "c2pnb272w1","c2pnb304w1","c2tnb359w1","c2pnb368w1","c2tnb431r1","secp112r1","secp112r2","secp128r1","secp128r2","sect113r1","sect113r2", - "sect131r1","sect131r2" - }; - - private final static HashMap<String,Vector> ecOIDs = new HashMap<String,Vector>(); - static - { - ecOIDs.put( "1.2.840.10045.3.1.7", new Vector() {{add("nistp256");add("secp256r1");}}); - ecOIDs.put( "1.3.132.0.34", new Vector() {{add("nistp384");add("secp384r1");}}); - ecOIDs.put( "1.3.132.0.35", new Vector() {{add("nistp521");add("secp521r1");}}); - ecOIDs.put( "1.3.132.0.1", new Vector() {{add("sect163k1");add("nistk163");}}); - ecOIDs.put( "1.3.132.0.2", new Vector() {{add("sect163r1");}}); - ecOIDs.put( "1.3.132.0.15", new Vector() {{add("sect163r2");add("nistb163");}}); - ecOIDs.put( "1.3.132.0.24", new Vector() {{add("sect193r1");}}); - ecOIDs.put( "1.3.132.0.25", new Vector() {{add("sect193r2");}}); - ecOIDs.put( "1.3.132.0.26", new Vector() {{add("sect233k1");add("nistk233");}}); - ecOIDs.put( "1.3.132.0.27", new Vector() {{add("sect233r1");add("nistb233");}}); - ecOIDs.put( "1.3.132.0.3", new Vector() {{add("sect239k1");}}); - ecOIDs.put( "1.3.132.0.16", new Vector() {{add("sect283k1");add("nistk283");}}); - ecOIDs.put( "1.3.132.0.17", new Vector() {{add("sect283r1");add("nistb283");}}); - ecOIDs.put( "1.3.132.0.36", new Vector() {{add("sect409k1");add("nistk409");}}); - ecOIDs.put( "1.3.132.0.37", new Vector() {{add("sect409r1");add("nistb409");}}); - ecOIDs.put( "1.3.132.0.38", new Vector() {{add("sect571k1"); add("nistk571");}}); - ecOIDs.put( "1.3.132.0.39", new Vector() {{add("sect571r1");add("nistb571");}}); - ecOIDs.put( "1.3.132.0.9", new Vector() {{add("secp160k1");}}); - ecOIDs.put( "1.3.132.0.8", new Vector() {{add("secp160r1");}}); - ecOIDs.put( "1.3.132.0.30", new Vector() {{add("secp160r2");}}); - ecOIDs.put( "1.3.132.0.31", new Vector() {{add("secp192k1");}}); - ecOIDs.put( "1.2.840.10045.3.1.1", new Vector() {{add("secp192r1");add("nistp192");add("prime192v1");}}); - ecOIDs.put( "1.3.132.0.32", new Vector() {{add("secp224k1");}}); - ecOIDs.put( "1.3.132.0.33", new Vector() {{add("secp224r1");add("nistp224");}}); - ecOIDs.put( "1.3.132.0.10", new Vector() {{add("secp256k1");}}); - ecOIDs.put( "1.2.840.10045.3.1.2",new Vector() {{add("prime192v2");}}); - ecOIDs.put( "1.2.840.10045.3.1.3",new Vector() {{add("prime192v3");}}); - ecOIDs.put( "1.2.840.10045.3.1.4",new Vector() {{add("prime239v1");}}); - ecOIDs.put( "1.2.840.10045.3.1.5",new Vector() {{add("prime239v2");}}); - ecOIDs.put( "1.2.840.10045.3.1.6",new Vector() {{add("prime239v3");}}); - ecOIDs.put( "1.2.840.10045.3.0.1", new Vector() {{add("c2pnb163v1");}}); - ecOIDs.put( "1.2.840.10045.3.0.2", new Vector() {{add("c2pnb163v2");}}); - ecOIDs.put( "1.2.840.10045.3.0.3", new Vector() {{add("c2pnb163v3");}}); - ecOIDs.put( "1.2.840.10045.3.0.4", new Vector() {{add("c2pnb176v1");}}); - ecOIDs.put( "1.2.840.10045.3.0.5", new Vector() {{add("c2tnb191v1");}}); - ecOIDs.put( "1.2.840.10045.3.0.6", new Vector() {{add("c2tnb191v2");}}); - ecOIDs.put( "1.2.840.10045.3.0.7", new Vector() {{add("c2tnb191v3");}}); - ecOIDs.put( "1.2.840.10045.3.0.10", new Vector() {{add("c2pnb208w1");}}); - ecOIDs.put( "1.2.840.10045.3.0.11", new Vector() {{add("c2tnb239v1");}}); - ecOIDs.put( "1.2.840.10045.3.0.12", new Vector() {{add("c2tnb239v2");}}); - ecOIDs.put( "1.2.840.10045.3.0.13", new Vector() {{add("c2tnb239v3");}}); - ecOIDs.put( "1.2.840.10045.3.0.16", new Vector() {{add("c2pnb272w1");}}); - ecOIDs.put( "1.2.840.10045.3.0.17", new Vector() {{add("c2pnb304w1");}}); - ecOIDs.put( "1.2.840.10045.3.0.19", new Vector() {{add("c2pnb368w1");}}); - ecOIDs.put( "1.2.840.10045.3.0.20", new Vector() {{add("c2tnb431r1");}}); - ecOIDs.put( "1.3.132.0.6", new Vector() {{add("secp112r1");}}); - ecOIDs.put( "1.3.132.0.7", new Vector() {{add("secp112r2");}}); - ecOIDs.put( "1.3.132.0.28", new Vector() {{add("secp128r1");}}); - ecOIDs.put( "1.3.132.0.29", new Vector() {{add("secp128r2");}}); - ecOIDs.put( "1.3.132.0.4", new Vector() {{add("sect113r1");}}); - ecOIDs.put( "1.3.132.0.5", new Vector() {{add("sect113r2");}}); - ecOIDs.put( "1.3.132.0.22", new Vector() {{add("sect131r1");}}); - ecOIDs.put( "1.3.132.0.23", new Vector() {{add("sect131r2");}}); + private static final String[] ecCurves = { "nistp256", "nistp384", + "nistp521", "sect163k1", "nistk163", "sect163r1", "sect163r2", + "nistb163", "sect193r1", "sect193r2", "sect233k1", "nistk233", + "sect233r1", "nistb233", "sect239k1", "sect283k1", "nistk283", + "sect283r1", "nistb283", "sect409k1", "nistk409", "sect409r1", + "nistb409", "sect571k1", "nistk571", "sect571r1", "nistb571", + "secp160k1", "secp160r1", "secp160r2", "secp192k1", "secp192r1", + "nistp192", "secp224k1", "secp224r1", "nistp224", "secp256k1", + "secp256r1", "secp384r1", "secp521r1", "prime192v1", "prime192v2", + "prime192v3", "prime239v1", "prime239v2", "prime239v3", + "c2pnb163v1", "c2pnb163v2", "c2pnb163v3", "c2pnb176v1", + "c2tnb191v1", "c2tnb191v2", "c2tnb191v3", "c2pnb208w1", + "c2tnb239v1", "c2tnb239v2", "c2tnb239v3", "c2pnb272w1", + "c2pnb304w1", "c2tnb359w1", "c2pnb368w1", "c2tnb431r1", + "secp112r1", "secp112r2", "secp128r1", "secp128r2", "sect113r1", + "sect113r2", "sect131r1", "sect131r2" }; + + private final static HashMap<String, Vector> ecOIDs = new HashMap<String, Vector>(); + static { + ecOIDs.put("1.2.840.10045.3.1.7", new Vector() { + { + add("nistp256"); + add("secp256r1"); + } + }); + ecOIDs.put("1.3.132.0.34", new Vector() { + { + add("nistp384"); + add("secp384r1"); + } + }); + ecOIDs.put("1.3.132.0.35", new Vector() { + { + add("nistp521"); + add("secp521r1"); + } + }); + ecOIDs.put("1.3.132.0.1", new Vector() { + { + add("sect163k1"); + add("nistk163"); + } + }); + ecOIDs.put("1.3.132.0.2", new Vector() { + { + add("sect163r1"); + } + }); + ecOIDs.put("1.3.132.0.15", new Vector() { + { + add("sect163r2"); + add("nistb163"); + } + }); + ecOIDs.put("1.3.132.0.24", new Vector() { + { + add("sect193r1"); + } + }); + ecOIDs.put("1.3.132.0.25", new Vector() { + { + add("sect193r2"); + } + }); + ecOIDs.put("1.3.132.0.26", new Vector() { + { + add("sect233k1"); + add("nistk233"); + } + }); + ecOIDs.put("1.3.132.0.27", new Vector() { + { + add("sect233r1"); + add("nistb233"); + } + }); + ecOIDs.put("1.3.132.0.3", new Vector() { + { + add("sect239k1"); + } + }); + ecOIDs.put("1.3.132.0.16", new Vector() { + { + add("sect283k1"); + add("nistk283"); + } + }); + ecOIDs.put("1.3.132.0.17", new Vector() { + { + add("sect283r1"); + add("nistb283"); + } + }); + ecOIDs.put("1.3.132.0.36", new Vector() { + { + add("sect409k1"); + add("nistk409"); + } + }); + ecOIDs.put("1.3.132.0.37", new Vector() { + { + add("sect409r1"); + add("nistb409"); + } + }); + ecOIDs.put("1.3.132.0.38", new Vector() { + { + add("sect571k1"); + add("nistk571"); + } + }); + ecOIDs.put("1.3.132.0.39", new Vector() { + { + add("sect571r1"); + add("nistb571"); + } + }); + ecOIDs.put("1.3.132.0.9", new Vector() { + { + add("secp160k1"); + } + }); + ecOIDs.put("1.3.132.0.8", new Vector() { + { + add("secp160r1"); + } + }); + ecOIDs.put("1.3.132.0.30", new Vector() { + { + add("secp160r2"); + } + }); + ecOIDs.put("1.3.132.0.31", new Vector() { + { + add("secp192k1"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.1", new Vector() { + { + add("secp192r1"); + add("nistp192"); + add("prime192v1"); + } + }); + ecOIDs.put("1.3.132.0.32", new Vector() { + { + add("secp224k1"); + } + }); + ecOIDs.put("1.3.132.0.33", new Vector() { + { + add("secp224r1"); + add("nistp224"); + } + }); + ecOIDs.put("1.3.132.0.10", new Vector() { + { + add("secp256k1"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.2", new Vector() { + { + add("prime192v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.3", new Vector() { + { + add("prime192v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.4", new Vector() { + { + add("prime239v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.5", new Vector() { + { + add("prime239v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.6", new Vector() { + { + add("prime239v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.1", new Vector() { + { + add("c2pnb163v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.2", new Vector() { + { + add("c2pnb163v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.3", new Vector() { + { + add("c2pnb163v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.4", new Vector() { + { + add("c2pnb176v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.5", new Vector() { + { + add("c2tnb191v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.6", new Vector() { + { + add("c2tnb191v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.7", new Vector() { + { + add("c2tnb191v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.10", new Vector() { + { + add("c2pnb208w1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.11", new Vector() { + { + add("c2tnb239v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.12", new Vector() { + { + add("c2tnb239v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.13", new Vector() { + { + add("c2tnb239v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.16", new Vector() { + { + add("c2pnb272w1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.17", new Vector() { + { + add("c2pnb304w1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.19", new Vector() { + { + add("c2pnb368w1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.20", new Vector() { + { + add("c2tnb431r1"); + } + }); + ecOIDs.put("1.3.132.0.6", new Vector() { + { + add("secp112r1"); + } + }); + ecOIDs.put("1.3.132.0.7", new Vector() { + { + add("secp112r2"); + } + }); + ecOIDs.put("1.3.132.0.28", new Vector() { + { + add("secp128r1"); + } + }); + ecOIDs.put("1.3.132.0.29", new Vector() { + { + add("secp128r2"); + } + }); + ecOIDs.put("1.3.132.0.4", new Vector() { + { + add("sect113r1"); + } + }); + ecOIDs.put("1.3.132.0.5", new Vector() { + { + add("sect113r2"); + } + }); + ecOIDs.put("1.3.132.0.22", new Vector() { + { + add("sect131r1"); + } + }); + ecOIDs.put("1.3.132.0.23", new Vector() { + { + add("sect131r2"); + } + }); } private static String[] cfgECCurves = null; @@ -136,7 +367,7 @@ public class KeyConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); String ecNames = ""; @@ -148,32 +379,30 @@ public class KeyConstraint extends EnrollConstraint { CMS.debug("KeyConstraint.init ecNames: " + ecNames); if (ecNames != null && ecNames.length() != 0) { cfgECCurves = ecNames.split(","); - } + } } - public IDescriptor getConfigDescriptor(Locale locale, String name) { + public IDescriptor getConfigDescriptor(Locale locale, String name) { if (name.equals(CONFIG_KEY_TYPE)) { - return new Descriptor(IDescriptor.CHOICE, "-,RSA,EC", - "RSA", + return new Descriptor(IDescriptor.CHOICE, "-,RSA,EC", "RSA", CMS.getUserMessage(locale, "CMS_PROFILE_KEY_TYPE")); - } else if (name.equals(CONFIG_KEY_PARAMETERS)) { - return new Descriptor(IDescriptor.STRING,null,"", - CMS.getUserMessage(locale,"CMS_PROFILE_KEY_PARAMETERS")); + } else if (name.equals(CONFIG_KEY_PARAMETERS)) { + return new Descriptor(IDescriptor.STRING, null, "", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_PARAMETERS")); } return null; } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { + throws ERejectException { try { - CertificateX509Key infokey = (CertificateX509Key) - info.get(X509CertInfo.KEY); - X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); + CertificateX509Key infokey = (CertificateX509Key) info + .get(X509CertInfo.KEY); + X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); String alg = key.getAlgorithmId().getName().toUpperCase(); String value = getConfig(CONFIG_KEY_TYPE); @@ -181,29 +410,25 @@ public class KeyConstraint extends EnrollConstraint { if (!isOptional(value)) { if (!alg.equals(value)) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_KEY_TYPE_NOT_MATCHED", - value)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_TYPE_NOT_MATCHED", value)); } } int keySize = 0; String ecCurve = ""; - if (alg.equals("RSA")) { + if (alg.equals("RSA")) { keySize = getRSAKeyLen(key); - } else if (alg.equals("DSA")) { + } else if (alg.equals("DSA")) { keySize = getDSAKeyLen(key); - } else if (alg.equals("EC")) { - //EC key case. + } else if (alg.equals("EC")) { + // EC key case. } else { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_INVALID_KEY_TYPE", - alg)); + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_INVALID_KEY_TYPE", alg)); } value = getConfig(CONFIG_KEY_PARAMETERS); @@ -212,28 +437,26 @@ public class KeyConstraint extends EnrollConstraint { if (alg.equals("EC")) { if (!alg.equals(keyType) && !isOptional(keyType)) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED", - value)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED", value)); } AlgorithmId algid = key.getAlgorithmId(); CMS.debug("algId: " + algid); - //Get raw string representation of alg parameters, will give - //us the curve OID. + // Get raw string representation of alg parameters, will give + // us the curve OID. - String params = null; + String params = null; if (algid != null) { params = algid.getParametersString(); } if (params.startsWith("OID.")) { params = params.substring(4); - } + } CMS.debug("EC key OID: " + params); Vector vect = ecOIDs.get(params); @@ -244,10 +467,12 @@ public class KeyConstraint extends EnrollConstraint { CMS.debug("vect: " + vect.toString()); if (!isOptional(keyType)) { - //Check the curve parameters only if explicit ECC or not optional - for (int i = 0 ; i < keyParams.length ; i ++) { - String ecParam = keyParams[i]; - CMS.debug("keyParams[i]: " + i + " param: " + ecParam); + // Check the curve parameters only if explicit ECC or + // not optional + for (int i = 0; i < keyParams.length; i++) { + String ecParam = keyParams[i]; + CMS.debug("keyParams[i]: " + i + " param: " + + ecParam); if (vect.contains(ecParam)) { curveFound = true; CMS.debug("KeyConstraint.validate: EC key constrainst passed."); @@ -260,21 +485,17 @@ public class KeyConstraint extends EnrollConstraint { } if (!curveFound) { - CMS.debug("KeyConstraint.validate: EC key constrainst failed."); - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED", - value)); + CMS.debug("KeyConstraint.validate: EC key constrainst failed."); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED", value)); } - } else { - if ( !arrayContainsString(keyParams,Integer.toString(keySize))) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED", - value)); + } else { + if (!arrayContainsString(keyParams, Integer.toString(keySize))) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED", value)); } CMS.debug("KeyConstraint.validate: RSA key contraints passed."); } @@ -283,8 +504,8 @@ public class KeyConstraint extends EnrollConstraint { throw (ERejectException) e; } CMS.debug("KeyConstraint: " + e.toString()); - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_KEY_NOT_FOUND")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_KEY_NOT_FOUND")); } } @@ -292,8 +513,7 @@ public class KeyConstraint extends EnrollConstraint { X509Key newkey = null; try { - newkey = new X509Key(AlgorithmId.get("RSA"), - key.getKey()); + newkey = new X509Key(AlgorithmId.get("RSA"), key.getKey()); } catch (Exception e) { CMS.debug("KeyConstraint: getRSAKey Len " + e.toString()); return -1; @@ -315,13 +535,11 @@ public class KeyConstraint extends EnrollConstraint { } public String getText(Locale locale) { - String params[] = { - getConfig(CONFIG_KEY_TYPE), - getConfig(CONFIG_KEY_PARAMETERS) - }; + String params[] = { getConfig(CONFIG_KEY_TYPE), + getConfig(CONFIG_KEY_PARAMETERS) }; - return CMS.getUserMessage(locale, - "CMS_PROFILE_CONSTRAINT_KEY_TEXT", params); + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_KEY_TEXT", + params); } public boolean isApplicable(IPolicyDefault def) { @@ -332,28 +550,27 @@ public class KeyConstraint extends EnrollConstraint { return false; } - public void setConfig(String name, String value) - throws EPropertyException { + public void setConfig(String name, String value) throws EPropertyException { CMS.debug("KeyConstraint.setConfig name: " + name + " value: " + value); - //establish keyType, we don't know which order these params will arrive + // establish keyType, we don't know which order these params will arrive if (name.equals(CONFIG_KEY_TYPE)) { keyType = value; - if(keyParams.equals("")) - return; + if (keyParams.equals("")) + return; } - - //establish keyParams + + // establish keyParams if (name.equals(CONFIG_KEY_PARAMETERS)) { CMS.debug("establish keyParams: " + value); keyParams = value; - if(keyType.equals("")) + if (keyType.equals("")) return; } - // All the params we need for validation have been collected, + // All the params we need for validation have been collected, // we don't know which order they will show up - if (keyType.length() > 0 && keyParams.length() > 0) { + if (keyType.length() > 0 && keyParams.length() > 0) { String[] params = keyParams.split(","); boolean isECCurve = false; int keySize = 0; @@ -361,48 +578,50 @@ public class KeyConstraint extends EnrollConstraint { for (int i = 0; i < params.length; i++) { if (keyType.equals("EC")) { if (cfgECCurves == null) { - //Use the static array as a backup if the config values are not present. - isECCurve = arrayContainsString(ecCurves,params[i]); + // Use the static array as a backup if the config values + // are not present. + isECCurve = arrayContainsString(ecCurves, params[i]); } else { - isECCurve = arrayContainsString(cfgECCurves,params[i]); + isECCurve = arrayContainsString(cfgECCurves, params[i]); } - if (isECCurve == false) { //Not a valid EC curve throw exception. + if (isECCurve == false) { // Not a valid EC curve throw + // exception. keyType = ""; keyParams = ""; throw new EPropertyException(CMS.getUserMessage( - "CMS_INVALID_PROPERTY", name)); + "CMS_INVALID_PROPERTY", name)); } - } else { + } else { try { keySize = Integer.parseInt(params[i]); } catch (Exception e) { keySize = 0; } - if (keySize <= 0) { + if (keySize <= 0) { keyType = ""; keyParams = ""; throw new EPropertyException(CMS.getUserMessage( - "CMS_INVALID_PROPERTY", name)); + "CMS_INVALID_PROPERTY", name)); } } } - } - //Actually set the configuration in the profile - super.setConfig(CONFIG_KEY_TYPE, keyType); - super.setConfig(CONFIG_KEY_PARAMETERS, keyParams); + } + // Actually set the configuration in the profile + super.setConfig(CONFIG_KEY_TYPE, keyType); + super.setConfig(CONFIG_KEY_PARAMETERS, keyParams); - //Reset the vars for next round. - keyType = ""; - keyParams = ""; + // Reset the vars for next round. + keyType = ""; + keyParams = ""; } private boolean arrayContainsString(String[] array, String value) { if (array == null || value == null) { - return false; - } + return false; + } - for (int i = 0 ; i < array.length; i++) { + for (int i = 0; i < array.length; i++) { if (array[i].equals(value)) { return true; } @@ -411,4 +630,3 @@ public class KeyConstraint extends EnrollConstraint { return false; } } - diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java index 4a483b43d..416222814 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.util.Locale; import netscape.security.x509.KeyUsageExtension; @@ -37,25 +36,19 @@ import com.netscape.cms.profile.def.KeyUsageExtDefault; import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.UserExtensionDefault; - /** - * This class implements the key usage extension constraint. - * It checks if the key usage constraint in the certificate - * template satisfies the criteria. - * + * This class implements the key usage extension constraint. It checks if the + * key usage constraint in the certificate template satisfies the criteria. + * * @version $Revision$, $Date$ */ public class KeyUsageExtConstraint extends EnrollConstraint { public static final String CONFIG_CRITICAL = "keyUsageCritical"; - public static final String CONFIG_DIGITAL_SIGNATURE = - "keyUsageDigitalSignature"; - public static final String CONFIG_NON_REPUDIATION = - "keyUsageNonRepudiation"; - public static final String CONFIG_KEY_ENCIPHERMENT = - "keyUsageKeyEncipherment"; - public static final String CONFIG_DATA_ENCIPHERMENT = - "keyUsageDataEncipherment"; + public static final String CONFIG_DIGITAL_SIGNATURE = "keyUsageDigitalSignature"; + public static final String CONFIG_NON_REPUDIATION = "keyUsageNonRepudiation"; + public static final String CONFIG_KEY_ENCIPHERMENT = "keyUsageKeyEncipherment"; + public static final String CONFIG_DATA_ENCIPHERMENT = "keyUsageDataEncipherment"; public static final String CONFIG_KEY_AGREEMENT = "keyUsageKeyAgreement"; public static final String CONFIG_KEY_CERTSIGN = "keyUsageKeyCertSign"; public static final String CONFIG_CRL_SIGN = "keyUsageCrlSign"; @@ -77,51 +70,41 @@ public class KeyUsageExtConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public IDescriptor getConfigDescriptor(Locale locale, String name) { + public IDescriptor getConfigDescriptor(Locale locale, String name) { if (name.equals(CONFIG_CRITICAL)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); } else if (name.equals(CONFIG_DIGITAL_SIGNATURE)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_DIGITAL_SIGNATURE")); } else if (name.equals(CONFIG_NON_REPUDIATION)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_NON_REPUDIATION")); } else if (name.equals(CONFIG_KEY_ENCIPHERMENT)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_KEY_ENCIPHERMENT")); } else if (name.equals(CONFIG_DATA_ENCIPHERMENT)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_DATA_ENCIPHERMENT")); } else if (name.equals(CONFIG_KEY_AGREEMENT)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_KEY_AGREEMENT")); } else if (name.equals(CONFIG_KEY_CERTSIGN)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_KEY_CERTSIGN")); } else if (name.equals(CONFIG_CRL_SIGN)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_CRL_SIGN")); } else if (name.equals(CONFIG_ENCIPHER_ONLY)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_ENCIPHER_ONLY")); } else if (name.equals(CONFIG_DECIPHER_ONLY)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_DECIPHER_ONLY")); } return null; @@ -134,20 +117,17 @@ public class KeyUsageExtConstraint extends EnrollConstraint { } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { - KeyUsageExtension ext = (KeyUsageExtension) - getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + throws ERejectException { + KeyUsageExtension ext = (KeyUsageExtension) getExtension( + PKIXExtensions.KeyUsage_Id.toString(), info); if (ext == null) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_EXTENSION_NOT_FOUND", - PKIXExtensions.KeyUsage_Id.toString())); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + PKIXExtensions.KeyUsage_Id.toString())); } boolean[] bits = ext.getBits(); @@ -156,10 +136,9 @@ public class KeyUsageExtConstraint extends EnrollConstraint { if (!isOptional(value)) { boolean critical = getBoolean(value); - if (critical != ext.isCritical()) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + if (critical != ext.isCritical()) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_CRITICAL_NOT_MATCHED")); } } value = getConfig(CONFIG_DIGITAL_SIGNATURE); @@ -167,117 +146,105 @@ public class KeyUsageExtConstraint extends EnrollConstraint { boolean bit = getBoolean(value); if (bit != isSet(bits, 0)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_DIGITAL_SIGNATURE_NOT_MATCHED", - value)); - } + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_DIGITAL_SIGNATURE_NOT_MATCHED", value)); + } } value = getConfig(CONFIG_NON_REPUDIATION); if (!isOptional(value)) { boolean bit = getBoolean(value); if (bit != isSet(bits, 1)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_NON_REPUDIATION_NOT_MATCHED", - value)); - } + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_NON_REPUDIATION_NOT_MATCHED", value)); + } } value = getConfig(CONFIG_KEY_ENCIPHERMENT); if (!isOptional(value)) { boolean bit = getBoolean(value); if (bit != isSet(bits, 2)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_KEY_ENCIPHERMENT_NOT_MATCHED", - value)); - } + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_ENCIPHERMENT_NOT_MATCHED", value)); + } } value = getConfig(CONFIG_DATA_ENCIPHERMENT); if (!isOptional(value)) { boolean bit = getBoolean(value); if (bit != isSet(bits, 3)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_DATA_ENCIPHERMENT_NOT_MATCHED", - value)); - } + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_DATA_ENCIPHERMENT_NOT_MATCHED", value)); + } } value = getConfig(CONFIG_KEY_AGREEMENT); if (!isOptional(value)) { boolean bit = getBoolean(value); if (bit != isSet(bits, 4)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_KEY_AGREEMENT_NOT_MATCHED", - value)); - } + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_AGREEMENT_NOT_MATCHED", value)); + } } value = getConfig(CONFIG_KEY_CERTSIGN); if (!isOptional(value)) { boolean bit = getBoolean(value); if (bit != isSet(bits, 5)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_KEY_CERTSIGN_NOT_MATCHED", - value)); - } + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_CERTSIGN_NOT_MATCHED", value)); + } } value = getConfig(CONFIG_CRL_SIGN); if (!isOptional(value)) { boolean bit = getBoolean(value); if (bit != isSet(bits, 6)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_CRL_SIGN_NOT_MATCHED", - value)); - } + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_CRL_SIGN_NOT_MATCHED", + value)); + } } value = getConfig(CONFIG_ENCIPHER_ONLY); if (!isOptional(value)) { boolean bit = getBoolean(value); if (bit != isSet(bits, 7)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_ENCIPHER_ONLY_NOT_MATCHED", - value)); - } + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_ENCIPHER_ONLY_NOT_MATCHED", value)); + } } value = getConfig(CONFIG_DECIPHER_ONLY); if (!isOptional(value)) { boolean bit = getBoolean(value); if (bit != isSet(bits, 8)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_DECIPHER_ONLY_NOT_MATCHED", - value)); - } + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_DECIPHER_ONLY_NOT_MATCHED", value)); + } } } public String getText(Locale locale) { - String params[] = { - getConfig(CONFIG_CRITICAL), + String params[] = { getConfig(CONFIG_CRITICAL), getConfig(CONFIG_DIGITAL_SIGNATURE), getConfig(CONFIG_NON_REPUDIATION), getConfig(CONFIG_KEY_ENCIPHERMENT), getConfig(CONFIG_DATA_ENCIPHERMENT), getConfig(CONFIG_KEY_AGREEMENT), - getConfig(CONFIG_KEY_CERTSIGN), - getConfig(CONFIG_CRL_SIGN), + getConfig(CONFIG_KEY_CERTSIGN), getConfig(CONFIG_CRL_SIGN), getConfig(CONFIG_ENCIPHER_ONLY), - getConfig(CONFIG_DECIPHER_ONLY) - }; + getConfig(CONFIG_DECIPHER_ONLY) }; - return CMS.getUserMessage(locale, + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_KEY_USAGE_EXT_TEXT", params); } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java index fe20b766c..bd2885472 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.util.Locale; import netscape.security.extensions.NSCertTypeExtension; @@ -36,12 +35,11 @@ import com.netscape.cms.profile.def.NSCertTypeExtDefault; import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.UserExtensionDefault; - /** - * This class implements the Netscape certificate type extension constraint. - * It checks if the Netscape certificate type extension in the certificate - * template satisfies the criteria. - * + * This class implements the Netscape certificate type extension constraint. It + * checks if the Netscape certificate type extension in the certificate template + * satisfies the criteria. + * * @version $Revision$, $Date$ */ public class NSCertTypeExtConstraint extends EnrollConstraint { @@ -68,63 +66,51 @@ public class NSCertTypeExtConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public IDescriptor getConfigDescriptor(Locale locale, String name) { + public IDescriptor getConfigDescriptor(Locale locale, String name) { if (name.equals(CONFIG_CRITICAL)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); } else if (name.equals(CONFIG_SSL_CLIENT)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT")); } else if (name.equals(CONFIG_SSL_SERVER)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER")); } else if (name.equals(CONFIG_EMAIL)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL")); } else if (name.equals(CONFIG_OBJECT_SIGNING)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING")); } else if (name.equals(CONFIG_SSL_CA)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA")); } else if (name.equals(CONFIG_EMAIL_CA)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA")); } else if (name.equals(CONFIG_OBJECT_SIGNING_CA)) { - return new Descriptor(IDescriptor.CHOICE, "true,false,-", - "-", - CMS.getUserMessage(locale, - "CMS_PROFILE_OBJECT_SIGNING_CA")); + return new Descriptor(IDescriptor.CHOICE, "true,false,-", "-", + CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING_CA")); } return null; } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { - NSCertTypeExtension ext = (NSCertTypeExtension) - getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + throws ERejectException { + NSCertTypeExtension ext = (NSCertTypeExtension) getExtension( + NSCertTypeExtension.CertType_Id.toString(), info); if (ext == null) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_EXTENSION_NOT_FOUND", - NSCertTypeExtension.CertType_Id.toString())); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + NSCertTypeExtension.CertType_Id.toString())); } String value = getConfig(CONFIG_CRITICAL); @@ -132,10 +118,9 @@ public class NSCertTypeExtConstraint extends EnrollConstraint { if (!isOptional(value)) { boolean critical = getBoolean(value); - if (critical != ext.isCritical()) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + if (critical != ext.isCritical()) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_CRITICAL_NOT_MATCHED")); } } value = getConfig(CONFIG_SSL_CLIENT); @@ -143,10 +128,9 @@ public class NSCertTypeExtConstraint extends EnrollConstraint { boolean bit = getBoolean(value); if (bit != ext.isSet(0)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SSL_CLIENT_NOT_MATCHED", - value)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_SSL_CLIENT_NOT_MATCHED", value)); } } value = getConfig(CONFIG_SSL_SERVER); @@ -154,10 +138,9 @@ public class NSCertTypeExtConstraint extends EnrollConstraint { boolean bit = getBoolean(value); if (bit != ext.isSet(1)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SSL_SERVER_NOT_MATCHED", - value)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_SSL_SERVER_NOT_MATCHED", value)); } } value = getConfig(CONFIG_EMAIL); @@ -165,10 +148,9 @@ public class NSCertTypeExtConstraint extends EnrollConstraint { boolean bit = getBoolean(value); if (bit != ext.isSet(2)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_EMAIL_NOT_MATCHED", - value)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_EMAIL_NOT_MATCHED", + value)); } } value = getConfig(CONFIG_OBJECT_SIGNING); @@ -176,10 +158,9 @@ public class NSCertTypeExtConstraint extends EnrollConstraint { boolean bit = getBoolean(value); if (bit != ext.isSet(3)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_OBJECT_SIGNING_NOT_MATCHED", - value)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_OBJECT_SIGNING_NOT_MATCHED", value)); } } value = getConfig(CONFIG_SSL_CA); @@ -187,10 +168,9 @@ public class NSCertTypeExtConstraint extends EnrollConstraint { boolean bit = getBoolean(value); if (bit != ext.isSet(4)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SSL_CA_NOT_MATCHED", - value)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_SSL_CA_NOT_MATCHED", + value)); } } value = getConfig(CONFIG_EMAIL_CA); @@ -198,10 +178,9 @@ public class NSCertTypeExtConstraint extends EnrollConstraint { boolean bit = getBoolean(value); if (bit != ext.isSet(5)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_EMAIL_CA_NOT_MATCHED", - value)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_EMAIL_CA_NOT_MATCHED", + value)); } } value = getConfig(CONFIG_OBJECT_SIGNING_CA); @@ -209,27 +188,21 @@ public class NSCertTypeExtConstraint extends EnrollConstraint { boolean bit = getBoolean(value); if (bit != ext.isSet(6)) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_OBJECT_SIGNING_CA_NOT_MATCHED", - value)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_OBJECT_SIGNING_CA_NOT_MATCHED", value)); } } } public String getText(Locale locale) { - String params[] = { - getConfig(CONFIG_CRITICAL), - getConfig(CONFIG_SSL_CLIENT), - getConfig(CONFIG_SSL_SERVER), - getConfig(CONFIG_EMAIL), - getConfig(CONFIG_OBJECT_SIGNING), - getConfig(CONFIG_SSL_CA), - getConfig(CONFIG_EMAIL_CA), - getConfig(CONFIG_OBJECT_SIGNING_CA) - }; - - return CMS.getUserMessage(locale, + String params[] = { getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_SSL_CLIENT), getConfig(CONFIG_SSL_SERVER), + getConfig(CONFIG_EMAIL), getConfig(CONFIG_OBJECT_SIGNING), + getConfig(CONFIG_SSL_CA), getConfig(CONFIG_EMAIL_CA), + getConfig(CONFIG_OBJECT_SIGNING_CA) }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_NS_CERT_EXT_TEXT", params); } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java index 108c32b17..47de8e3fb 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.util.Enumeration; import java.util.Locale; import java.util.Vector; @@ -34,17 +33,16 @@ import com.netscape.certsrv.property.EPropertyException; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; - /** * This class implements no constraint. - * + * * @version $Revision$, $Date$ */ public class NoConstraint implements IPolicyConstraint { public static final String CONFIG_NAME = "name"; - private IConfigStore mConfig = null; + private IConfigStore mConfig = null; private Vector mNames = new Vector(); public Enumeration getConfigNames() { @@ -55,8 +53,7 @@ public class NoConstraint implements IPolicyConstraint { return null; } - public void setConfig(String name, String value) - throws EPropertyException { + public void setConfig(String name, String value) throws EPropertyException { } public String getConfig(String name) { @@ -68,7 +65,7 @@ public class NoConstraint implements IPolicyConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { mConfig = config; } @@ -77,15 +74,13 @@ public class NoConstraint implements IPolicyConstraint { } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ - public void validate(IRequest request) - throws ERejectException { + public void validate(IRequest request) throws ERejectException { } public String getText(Locale locale) { - return CMS.getUserMessage(locale, + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_NO_CONSTRAINT_TEXT"); } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java index 91d5a46aa..d09fd779a 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.math.BigInteger; import java.util.Date; import java.util.Locale; @@ -36,17 +35,16 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; import com.netscape.cms.profile.def.NoDefault; - /** - * This class supports renewal grace period, which has two - * parameters: graceBefore and graceAfter - * + * This class supports renewal grace period, which has two parameters: + * graceBefore and graceAfter + * * @author Christina Fu * @version $Revision$, $Date$ */ public class RenewGracePeriodConstraint extends EnrollConstraint { - // for renewal: # of days before the orig cert expiration date + // for renewal: # of days before the orig cert expiration date public static final String CONFIG_RENEW_GRACE_BEFORE = "renewal.graceBefore"; // for renewal: # of days after the orig cert expiration date public static final String CONFIG_RENEW_GRACE_AFTER = "renewal.graceAfter"; @@ -58,27 +56,30 @@ public class RenewGracePeriodConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public void setConfig(String name, String value) - throws EPropertyException { - if ( name.equals(CONFIG_RENEW_GRACE_BEFORE) || - name.equals(CONFIG_RENEW_GRACE_AFTER)) { - try { - Integer.parseInt(value); - } catch (Exception e) { + public void setConfig(String name, String value) throws EPropertyException { + if (name.equals(CONFIG_RENEW_GRACE_BEFORE) + || name.equals(CONFIG_RENEW_GRACE_AFTER)) { + try { + Integer.parseInt(value); + } catch (Exception e) { throw new EPropertyException(CMS.getUserMessage( - "CMS_INVALID_PROPERTY", CONFIG_RENEW_GRACE_BEFORE +" or "+ CONFIG_RENEW_GRACE_AFTER)); - } + "CMS_INVALID_PROPERTY", CONFIG_RENEW_GRACE_BEFORE + + " or " + CONFIG_RENEW_GRACE_AFTER)); + } } super.setConfig(name, value); } public IDescriptor getConfigDescriptor(Locale locale, String name) { if (name.equals(CONFIG_RENEW_GRACE_BEFORE)) { - return new Descriptor(IDescriptor.INTEGER, null, "30", + return new Descriptor( + IDescriptor.INTEGER, + null, + "30", CMS.getUserMessage(locale, "CMS_PROFILE_RENEW_GRACE_BEFORE")); } else if (name.equals(CONFIG_RENEW_GRACE_AFTER)) { return new Descriptor(IDescriptor.INTEGER, null, "30", @@ -88,75 +89,82 @@ public class RenewGracePeriodConstraint extends EnrollConstraint { } public void validate(IRequest req, X509CertInfo info) - throws ERejectException { - String origExpDate_s = req.getExtDataInString("origNotAfter"); - // probably not for renewal - if (origExpDate_s == null) { - return; - } else { - CMS.debug("validate RenewGracePeriod: original cert expiration date found... renewing"); - } - CMS.debug("ValidilityConstraint: validateRenewGraceperiod begins"); - BigInteger origExpDate_BI = new BigInteger(origExpDate_s); - Date origExpDate = new Date(origExpDate_BI.longValue()); - String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE); - String renew_grace_after_s = getConfig(CONFIG_RENEW_GRACE_AFTER); - int renew_grace_before = 0; - int renew_grace_after = 0; - BigInteger renew_grace_before_BI = new BigInteger(renew_grace_before_s); - BigInteger renew_grace_after_BI= new BigInteger(renew_grace_after_s); - - // -1 means no limit - if (renew_grace_before_s == "") - renew_grace_before = -1; - else - renew_grace_before = Integer.parseInt(renew_grace_before_s); - - if (renew_grace_after_s == "") - renew_grace_after = -1; - else - renew_grace_after = Integer.parseInt(renew_grace_after_s); - - if (renew_grace_before > 0) - renew_grace_before_BI = renew_grace_before_BI.multiply(BigInteger.valueOf(1000 * 86400)); - if (renew_grace_after > 0) - renew_grace_after_BI = renew_grace_after_BI.multiply(BigInteger.valueOf(1000 * 86400)); - - Date current = CMS.getCurrentDate(); - long millisDiff = origExpDate.getTime() - current.getTime(); - CMS.debug("validateRenewGracePeriod: millisDiff=" + millisDiff + " origExpDate=" + origExpDate.getTime() + " current=" + current.getTime()); - - /* - * "days", if positive, has to be less than renew_grace_before - * "days", if negative, means already past expiration date, - * (abs value) has to be less than renew_grace_after - * if renew_grace_before or renew_grace_after are negative - * the one with negative value is ignored - */ - if (millisDiff >= 0) { - if ((renew_grace_before>0) && (millisDiff > renew_grace_before_BI.longValue())) { - throw new ERejectException(CMS.getUserMessage(getLocale(req), - "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", - renew_grace_before+" days before and "+ - renew_grace_after+" days after original cert expiration date")); - } - } else { - if ((renew_grace_after > 0) && ((0-millisDiff) > renew_grace_after_BI.longValue())) { - throw new ERejectException(CMS.getUserMessage(getLocale(req), - "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", - renew_grace_before+" days before and "+ - renew_grace_after+" days after original cert expiration date")); - } - } + throws ERejectException { + String origExpDate_s = req.getExtDataInString("origNotAfter"); + // probably not for renewal + if (origExpDate_s == null) { + return; + } else { + CMS.debug("validate RenewGracePeriod: original cert expiration date found... renewing"); + } + CMS.debug("ValidilityConstraint: validateRenewGraceperiod begins"); + BigInteger origExpDate_BI = new BigInteger(origExpDate_s); + Date origExpDate = new Date(origExpDate_BI.longValue()); + String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE); + String renew_grace_after_s = getConfig(CONFIG_RENEW_GRACE_AFTER); + int renew_grace_before = 0; + int renew_grace_after = 0; + BigInteger renew_grace_before_BI = new BigInteger(renew_grace_before_s); + BigInteger renew_grace_after_BI = new BigInteger(renew_grace_after_s); + + // -1 means no limit + if (renew_grace_before_s == "") + renew_grace_before = -1; + else + renew_grace_before = Integer.parseInt(renew_grace_before_s); + + if (renew_grace_after_s == "") + renew_grace_after = -1; + else + renew_grace_after = Integer.parseInt(renew_grace_after_s); + + if (renew_grace_before > 0) + renew_grace_before_BI = renew_grace_before_BI.multiply(BigInteger + .valueOf(1000 * 86400)); + if (renew_grace_after > 0) + renew_grace_after_BI = renew_grace_after_BI.multiply(BigInteger + .valueOf(1000 * 86400)); + + Date current = CMS.getCurrentDate(); + long millisDiff = origExpDate.getTime() - current.getTime(); + CMS.debug("validateRenewGracePeriod: millisDiff=" + millisDiff + + " origExpDate=" + origExpDate.getTime() + " current=" + + current.getTime()); + + /* + * "days", if positive, has to be less than renew_grace_before "days", + * if negative, means already past expiration date, (abs value) has to + * be less than renew_grace_after if renew_grace_before or + * renew_grace_after are negative the one with negative value is ignored + */ + if (millisDiff >= 0) { + if ((renew_grace_before > 0) + && (millisDiff > renew_grace_before_BI.longValue())) { + throw new ERejectException(CMS.getUserMessage(getLocale(req), + "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", + renew_grace_before + " days before and " + + renew_grace_after + + " days after original cert expiration date")); + } + } else { + if ((renew_grace_after > 0) + && ((0 - millisDiff) > renew_grace_after_BI.longValue())) { + throw new ERejectException(CMS.getUserMessage(getLocale(req), + "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", + renew_grace_before + " days before and " + + renew_grace_after + + " days after original cert expiration date")); + } + } } - public String getText(Locale locale) { String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE); - String renew_grace_after_s= getConfig(CONFIG_RENEW_GRACE_AFTER); - return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT", - renew_grace_before_s+" days before and "+ - renew_grace_after_s+" days after original cert expiration date"); + String renew_grace_after_s = getConfig(CONFIG_RENEW_GRACE_AFTER); + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT", renew_grace_before_s + + " days before and " + renew_grace_after_s + + " days after original cert expiration date"); } public boolean isApplicable(IPolicyDefault def) { diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java index f570c26e6..40a34c0b3 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.util.Locale; import java.util.StringTokenizer; import java.util.Vector; @@ -40,12 +39,10 @@ import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.SigningAlgDefault; import com.netscape.cms.profile.def.UserSigningAlgDefault; - /** - * This class implements the signing algorithm constraint. - * It checks if the signing algorithm in the certificate - * template satisfies the criteria. - * + * This class implements the signing algorithm constraint. It checks if the + * signing algorithm in the certificate template satisfies the criteria. + * * @version $Revision$, $Date$ */ public class SigningAlgConstraint extends EnrollConstraint { @@ -69,29 +66,27 @@ public class SigningAlgConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public void setConfig(String name, String value) - throws EPropertyException { + public void setConfig(String name, String value) throws EPropertyException { if (mConfig.getSubStore("params") == null) { CMS.debug("SigningAlgConstraint: mConfig.getSubStore is null"); } else { - CMS.debug("SigningAlgConstraint: setConfig name=" + name + - " value=" + value); - - if(name.equals(CONFIG_ALGORITHMS_ALLOWED)) - { - StringTokenizer st = new StringTokenizer(value, ","); - while (st.hasMoreTokens()) { - String v = st.nextToken(); - if (DEF_CONFIG_ALGORITHMS.indexOf(v) == -1) { - throw new EPropertyException( - CMS.getUserMessage("CMS_PROFILE_PROPERTY_ERROR", v)); - } - } + CMS.debug("SigningAlgConstraint: setConfig name=" + name + + " value=" + value); + + if (name.equals(CONFIG_ALGORITHMS_ALLOWED)) { + StringTokenizer st = new StringTokenizer(value, ","); + while (st.hasMoreTokens()) { + String v = st.nextToken(); + if (DEF_CONFIG_ALGORITHMS.indexOf(v) == -1) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_PROFILE_PROPERTY_ERROR", v)); + } + } } mConfig.getSubStore("params").putString(name, value); } @@ -100,25 +95,24 @@ public class SigningAlgConstraint extends EnrollConstraint { public IDescriptor getConfigDescriptor(Locale locale, String name) { if (name.equals(CONFIG_ALGORITHMS_ALLOWED)) { return new Descriptor(IDescriptor.STRING, null, - DEF_CONFIG_ALGORITHMS, - CMS.getUserMessage(locale, - "CMS_PROFILE_SIGNING_ALGORITHMS_ALLOWED")); + DEF_CONFIG_ALGORITHMS, CMS.getUserMessage(locale, + "CMS_PROFILE_SIGNING_ALGORITHMS_ALLOWED")); } return null; } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { + throws ERejectException { CertificateAlgorithmId algId = null; try { - algId = (CertificateAlgorithmId) info.get(X509CertInfo.ALGORITHM_ID); - AlgorithmId id = (AlgorithmId) - algId.get(CertificateAlgorithmId.ALGORITHM); + algId = (CertificateAlgorithmId) info + .get(X509CertInfo.ALGORITHM_ID); + AlgorithmId id = (AlgorithmId) algId + .get(CertificateAlgorithmId.ALGORITHM); Vector mCache = new Vector(); StringTokenizer st = new StringTokenizer( @@ -132,22 +126,25 @@ public class SigningAlgConstraint extends EnrollConstraint { if (!mCache.contains(id.toString())) { throw new ERejectException(CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_SIGNING_ALGORITHM_NOT_MATCHED", id.toString())); + getLocale(request), + "CMS_PROFILE_SIGNING_ALGORITHM_NOT_MATCHED", + id.toString())); } } catch (Exception e) { if (e instanceof ERejectException) { throw (ERejectException) e; } CMS.debug("SigningAlgConstraint: " + e.toString()); - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_SIGNING_ALGORITHM_NOT_FOUND")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SIGNING_ALGORITHM_NOT_FOUND")); } } public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT", getConfig(CONFIG_ALGORITHMS_ALLOWED)); + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT", + getConfig(CONFIG_ALGORITHMS_ALLOWED)); } public boolean isApplicable(IPolicyDefault def) { diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java index 7ce32f00e..547ce4336 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.io.IOException; import java.util.Locale; @@ -38,12 +37,10 @@ import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.SubjectNameDefault; import com.netscape.cms.profile.def.UserSubjectNameDefault; - /** - * This class implements the subject name constraint. - * It checks if the subject name in the certificate - * template satisfies the criteria. - * + * This class implements the subject name constraint. It checks if the subject + * name in the certificate template satisfies the criteria. + * * @version $Revision$, $Date$ */ public class SubjectNameConstraint extends EnrollConstraint { @@ -56,15 +53,15 @@ public class SubjectNameConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public IDescriptor getConfigDescriptor(Locale locale, String name) { - if (name.equals(CONFIG_PATTERN)) { - return new Descriptor(IDescriptor.STRING, - null, null, - CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME_PATTERN")); + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_PATTERN)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME_PATTERN")); } else { return null; } @@ -75,54 +72,48 @@ public class SubjectNameConstraint extends EnrollConstraint { } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { + throws ERejectException { CMS.debug("SubjectNameConstraint: validate start"); CertificateSubjectName sn = null; try { sn = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); - CMS.debug("SubjectNameConstraint: validate cert subject ="+ - sn.toString()); + CMS.debug("SubjectNameConstraint: validate cert subject =" + + sn.toString()); } catch (Exception e) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); } X500Name sn500 = null; try { sn500 = (X500Name) sn.get(CertificateSubjectName.DN_NAME); } catch (IOException e) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); } if (sn500 == null) { CMS.debug("SubjectNameConstraint: validate() - sn500 is null"); - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); } else { - CMS.debug("SubjectNameConstraint: validate() - sn500 "+ - CertificateSubjectName.DN_NAME + " = "+ - sn500.toString()); + CMS.debug("SubjectNameConstraint: validate() - sn500 " + + CertificateSubjectName.DN_NAME + " = " + sn500.toString()); } if (!sn500.toString().matches(getConfig(CONFIG_PATTERN))) { - CMS.debug("SubjectNameConstraint: validate() - sn500 not matching pattern "+ getConfig(CONFIG_PATTERN)); - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED", - sn500.toString())); + CMS.debug("SubjectNameConstraint: validate() - sn500 not matching pattern " + + getConfig(CONFIG_PATTERN)); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED", sn500.toString())); } } public String getText(Locale locale) { - return CMS.getUserMessage(locale, - "CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT", + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT", getConfig(CONFIG_PATTERN)); } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java index b47e2230d..f02a5c7c8 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.util.Enumeration; import java.util.Locale; @@ -43,57 +42,52 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.cms.profile.def.NoDefault; /** - * This constraint is to check for publickey uniqueness. - * The config param "allowSameKeyRenewal" enables the - * situation where if the publickey is not unique, and if - * the subject DN is the same, that is a "renewal". - * - * Another "feature" that is quoted out of this code is the - * "revokeDupKeyCert" option, which enables the revocation - * of certs that bear the same publickey as the enrolling - * request. Since this can potentially be abused, it is taken - * out and preserved in comments to allow future refinement. - * + * This constraint is to check for publickey uniqueness. The config param + * "allowSameKeyRenewal" enables the situation where if the publickey is not + * unique, and if the subject DN is the same, that is a "renewal". + * + * Another "feature" that is quoted out of this code is the "revokeDupKeyCert" + * option, which enables the revocation of certs that bear the same publickey as + * the enrolling request. Since this can potentially be abused, it is taken out + * and preserved in comments to allow future refinement. + * * @version $Revision$, $Date$ */ public class UniqueKeyConstraint extends EnrollConstraint { - /* - public static final String CONFIG_REVOKE_DUPKEY_CERT = - "revokeDupKeyCert"; - boolean mRevokeDupKeyCert = false; - */ - public static final String CONFIG_ALLOW_SAME_KEY_RENEWAL = - "allowSameKeyRenewal"; - boolean mAllowSameKeyRenewal = false; + /* + * public static final String CONFIG_REVOKE_DUPKEY_CERT = + * "revokeDupKeyCert"; boolean mRevokeDupKeyCert = false; + */ + public static final String CONFIG_ALLOW_SAME_KEY_RENEWAL = "allowSameKeyRenewal"; + boolean mAllowSameKeyRenewal = false; public ICertificateAuthority mCA = null; - public UniqueKeyConstraint() { - super(); - /* - addConfigName(CONFIG_REVOKE_DUPKEY_CERT); - */ - addConfigName(CONFIG_ALLOW_SAME_KEY_RENEWAL); - } + public UniqueKeyConstraint() { + super(); + /* + * addConfigName(CONFIG_REVOKE_DUPKEY_CERT); + */ + addConfigName(CONFIG_ALLOW_SAME_KEY_RENEWAL); + } - public void init(IProfile profile, IConfigStore config) - throws EProfileException { + public void init(IProfile profile, IConfigStore config) + throws EProfileException { super.init(profile, config); - mCA = (ICertificateAuthority) - CMS.getSubsystem(CMS.SUBSYSTEM_CA); + mCA = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); } - public IDescriptor getConfigDescriptor(Locale locale, String name) - { - /* - if (name.equals(CONFIG_REVOKE_DUPKEY_CERT)) { - return new Descriptor(IDescriptor.BOOLEAN, null, "false", - CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_REVOKE_DUPKEY_CERT")); - } - */ - if (name.equals(CONFIG_ALLOW_SAME_KEY_RENEWAL)) { - return new Descriptor(IDescriptor.BOOLEAN, null, "false", - CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL")); - } + public IDescriptor getConfigDescriptor(Locale locale, String name) { + /* + * if (name.equals(CONFIG_REVOKE_DUPKEY_CERT)) { return new + * Descriptor(IDescriptor.BOOLEAN, null, "false", + * CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_REVOKE_DUPKEY_CERT")); + * } + */ + if (name.equals(CONFIG_ALLOW_SAME_KEY_RENEWAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "false", + CMS.getUserMessage(locale, + "CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL")); + } return null; } @@ -102,173 +96,156 @@ public class UniqueKeyConstraint extends EnrollConstraint { } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { - boolean rejected = false; - int size = 0; - ICertRecordList list; + throws ERejectException { + boolean rejected = false; + int size = 0; + ICertRecordList list; - /* - mRevokeDupKeyCert = - getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT); - */ - mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL); + /* + * mRevokeDupKeyCert = getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT); + */ + mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL); try { - CertificateX509Key infokey = (CertificateX509Key) - info.get(X509CertInfo.KEY); - X509Key key = (X509Key) - infokey.get(CertificateX509Key.KEY); - - // check for key uniqueness - byte pub[] = key.getEncoded(); - String pub_s = escapeBinaryData(pub); - String filter = "(" + ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA +"=" + pub_s + ")"; - list = - (ICertRecordList) - mCA.getCertificateRepository().findCertRecordsInList(filter, null, 10); - size = list.getSize(); + CertificateX509Key infokey = (CertificateX509Key) info + .get(X509CertInfo.KEY); + X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); + + // check for key uniqueness + byte pub[] = key.getEncoded(); + String pub_s = escapeBinaryData(pub); + String filter = "(" + ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA + + "=" + pub_s + ")"; + list = (ICertRecordList) mCA.getCertificateRepository() + .findCertRecordsInList(filter, null, 10); + size = list.getSize(); } catch (Exception e) { - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_INTERNAL_ERROR",e.toString())); - } - - /* - * It does not matter if the corresponding cert's status - * is valid or not, we don't want a key that was once - * generated before - */ - if (size > 0) { - CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key."); - - /* - The following code revokes the existing certs that have - the same public key as the one submitted for enrollment - request. However, it is not a good idea due to possible - abuse. It is therefore commented out. It is still - however still maintained for possible utilization at later - time - - // if configured to revoke duplicated key - // revoke cert - if (mRevokeDupKeyCert) { - try { - Enumeration e = list.getCertRecords(0, size-1); - while (e != null && e.hasMoreElements()) { - ICertRecord rec = (ICertRecord) e.nextElement(); - X509CertImpl cert = rec.getCertificate(); - - // revoke the cert - BigInteger serialNum = cert.getSerialNumber(); - ICAService service = (ICAService) mCA.getCAService(); - - RevokedCertImpl crlEntry = - formCRLEntry(serialNum, RevocationReason.KEY_COMPROMISE); - service.revokeCert(crlEntry); - CMS.debug("UniqueKeyConstraint: certificate with duplicate publickey revoked successfully"); - } - } catch (Exception ex) { - CMS.debug("UniqueKeyConstraint: error in revoke dupkey cert"); - } - } // revoke dupkey cert turned on - */ - - if (mAllowSameKeyRenewal == true) { - X500Name sjname_in_db = null; - X500Name sjname_in_req = null; - - try { - // get subject of request - CertificateSubjectName subName = - (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); - - if (subName != null) { - - sjname_in_req = - (X500Name) subName.get(CertificateSubjectName.DN_NAME); - CMS.debug("UniqueKeyConstraint: cert request subject DN ="+ sjname_in_req.toString()); - Enumeration e = list.getCertRecords(0, size-1); - while (e != null && e.hasMoreElements()) { - ICertRecord rec = (ICertRecord) e.nextElement(); - X509CertImpl cert = rec.getCertificate(); - String certDN = - cert.getSubjectDN().toString(); - CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN ="+ certDN); - - sjname_in_db = new X500Name(certDN); - - if (sjname_in_db.equals(sjname_in_req) == false) { - rejected = true; - break; - } else { - rejected = false; - } - } // while - } else { //subName is null - rejected = true; - } - } catch (Exception ex1) { - CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: "+ex1.toString()); - rejected = true; - } // try - - } else { - rejected = true; - }// allowSameKeyRenewal - } // (size > 0) + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_INTERNAL_ERROR", e.toString())); + } - if (rejected == true) { - CMS.debug("UniqueKeyConstraint: rejected"); - throw new ERejectException( - CMS.getUserMessage( - getLocale(request), - "CMS_PROFILE_DUPLICATE_KEY")); - } else { - CMS.debug("UniqueKeyConstraint: approved"); - } + /* + * It does not matter if the corresponding cert's status is valid or + * not, we don't want a key that was once generated before + */ + if (size > 0) { + CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key."); + + /* + * The following code revokes the existing certs that have the same + * public key as the one submitted for enrollment request. However, + * it is not a good idea due to possible abuse. It is therefore + * commented out. It is still however still maintained for possible + * utilization at later time + * + * // if configured to revoke duplicated key // revoke cert if + * (mRevokeDupKeyCert) { try { Enumeration e = + * list.getCertRecords(0, size-1); while (e != null && + * e.hasMoreElements()) { ICertRecord rec = (ICertRecord) + * e.nextElement(); X509CertImpl cert = rec.getCertificate(); + * + * // revoke the cert BigInteger serialNum = cert.getSerialNumber(); + * ICAService service = (ICAService) mCA.getCAService(); + * + * RevokedCertImpl crlEntry = formCRLEntry(serialNum, + * RevocationReason.KEY_COMPROMISE); service.revokeCert(crlEntry); + * CMS.debug( + * "UniqueKeyConstraint: certificate with duplicate publickey revoked successfully" + * ); } } catch (Exception ex) { + * CMS.debug("UniqueKeyConstraint: error in revoke dupkey cert"); } + * } // revoke dupkey cert turned on + */ + + if (mAllowSameKeyRenewal == true) { + X500Name sjname_in_db = null; + X500Name sjname_in_req = null; + + try { + // get subject of request + CertificateSubjectName subName = (CertificateSubjectName) info + .get(X509CertInfo.SUBJECT); + + if (subName != null) { + + sjname_in_req = (X500Name) subName + .get(CertificateSubjectName.DN_NAME); + CMS.debug("UniqueKeyConstraint: cert request subject DN =" + + sjname_in_req.toString()); + Enumeration e = list.getCertRecords(0, size - 1); + while (e != null && e.hasMoreElements()) { + ICertRecord rec = (ICertRecord) e.nextElement(); + X509CertImpl cert = rec.getCertificate(); + String certDN = cert.getSubjectDN().toString(); + CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN =" + + certDN); + + sjname_in_db = new X500Name(certDN); + + if (sjname_in_db.equals(sjname_in_req) == false) { + rejected = true; + break; + } else { + rejected = false; + } + } // while + } else { // subName is null + rejected = true; + } + } catch (Exception ex1) { + CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: " + + ex1.toString()); + rejected = true; + } // try + + } else { + rejected = true; + }// allowSameKeyRenewal + } // (size > 0) + + if (rejected == true) { + CMS.debug("UniqueKeyConstraint: rejected"); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_DUPLICATE_KEY")); + } else { + CMS.debug("UniqueKeyConstraint: approved"); + } } - /** + /** * make a CRL entry from a serial number and revocation reason. + * * @return a RevokedCertImpl that can be entered in a CRL. - - protected RevokedCertImpl formCRLEntry( - BigInteger serialNo, RevocationReason reason) - throws EBaseException { - CRLReasonExtension reasonExt = new CRLReasonExtension(reason); - CRLExtensions crlentryexts = new CRLExtensions(); - - try { - crlentryexts.set(CRLReasonExtension.NAME, reasonExt); - } catch (IOException e) { - CMS.debug("CMSGW_ERR_CRL_REASON "+e.toString()); - - // throw new ECMSGWException( - // CMS.getLogMessage("CMSGW_ERROR_SETTING_CRLREASON")); - - } - RevokedCertImpl crlentry = - new RevokedCertImpl(serialNo, CMS.getCurrentDate(), - crlentryexts); - - return crlentry; - } - */ + * + * protected RevokedCertImpl formCRLEntry( BigInteger serialNo, + * RevocationReason reason) throws EBaseException { + * CRLReasonExtension reasonExt = new CRLReasonExtension(reason); + * CRLExtensions crlentryexts = new CRLExtensions(); + * + * try { crlentryexts.set(CRLReasonExtension.NAME, reasonExt); } + * catch (IOException e) { + * CMS.debug("CMSGW_ERR_CRL_REASON "+e.toString()); + * + * // throw new ECMSGWException( // + * CMS.getLogMessage("CMSGW_ERROR_SETTING_CRLREASON")); + * + * } RevokedCertImpl crlentry = new RevokedCertImpl(serialNo, + * CMS.getCurrentDate(), crlentryexts); + * + * return crlentry; } + */ public String getText(Locale locale) { String params[] = { -/* - getConfig(CONFIG_REVOKE_DUPKEY_CERT), -*/ - }; + /* + * getConfig(CONFIG_REVOKE_DUPKEY_CERT), + */ + }; - return CMS.getUserMessage(locale, + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_ALLOW_SAME_KEY_RENEWAL_TEXT", params); } @@ -285,12 +262,12 @@ public class UniqueKeyConstraint extends EnrollConstraint { } public boolean isApplicable(IPolicyDefault def) { - if (def instanceof NoDefault) - return true; + if (def instanceof NoDefault) + return true; if (def instanceof UniqueKeyConstraint) return true; - return false; + return false; } } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java index 89b8d4602..2d5db341f 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java @@ -51,17 +51,15 @@ import com.netscape.cms.profile.def.SubjectNameDefault; import com.netscape.cms.profile.def.UserSubjectNameDefault; /** - * This class implements the unique subject name constraint. - * It checks if the subject name in the certificate is - * unique in the internal database, ie, no two certificates - * have the same subject name. - * + * This class implements the unique subject name constraint. It checks if the + * subject name in the certificate is unique in the internal database, ie, no + * two certificates have the same subject name. + * * @version $Revision$, $Date$ */ public class UniqueSubjectNameConstraint extends EnrollConstraint { - public static final String CONFIG_KEY_USAGE_EXTENSION_CHECKING = - "enableKeyUsageExtensionChecking"; + public static final String CONFIG_KEY_USAGE_EXTENSION_CHECKING = "enableKeyUsageExtensionChecking"; private boolean mKeyUsageExtensionChecking = true; public UniqueSubjectNameConstraint() { @@ -69,14 +67,15 @@ public class UniqueSubjectNameConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public IDescriptor getConfigDescriptor(Locale locale, String name) { + public IDescriptor getConfigDescriptor(Locale locale, String name) { if (name.equals(CONFIG_KEY_USAGE_EXTENSION_CHECKING)) { return new Descriptor(IDescriptor.BOOLEAN, null, "true", - CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING")); + CMS.getUserMessage(locale, + "CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING")); } return null; } @@ -85,20 +84,19 @@ public class UniqueSubjectNameConstraint extends EnrollConstraint { return null; } - /** - * Checks if the key extension in the issued certificate - * is the same as the one in the certificate template. - */ - private boolean sameKeyUsageExtension(ICertRecord rec, - X509CertInfo certInfo) { + /** + * Checks if the key extension in the issued certificate is the same as the + * one in the certificate template. + */ + private boolean sameKeyUsageExtension(ICertRecord rec, X509CertInfo certInfo) { X509CertImpl impl = rec.getCertificate(); boolean bits[] = impl.getKeyUsage(); CertificateExtensions extensions = null; try { - extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); } catch (IOException e) { } catch (java.security.cert.CertificateException e) { } @@ -109,10 +107,10 @@ public class UniqueSubjectNameConstraint extends EnrollConstraint { return false; } else { try { - ext = (KeyUsageExtension) extensions.get( - KeyUsageExtension.NAME); + ext = (KeyUsageExtension) extensions + .get(KeyUsageExtension.NAME); } catch (IOException e) { - // extension isn't there. + // extension isn't there. } if (ext == null) { @@ -135,48 +133,44 @@ public class UniqueSubjectNameConstraint extends EnrollConstraint { return false; } } - } + } } - return true; + return true; } - /** - * Validates the request. The request is not modified - * during the validation. - * - * Rules are as follows: - * If the subject name is not unique, then the request will be rejected unless: - * 1. the certificate is expired or expired_revoked + * Validates the request. The request is not modified during the validation. + * + * Rules are as follows: If the subject name is not unique, then the request + * will be rejected unless: 1. the certificate is expired or expired_revoked * 2. the certificate is revoked and the revocation reason is not "on hold" - * 3. the keyUsageExtension bits are different and enableKeyUsageExtensionChecking=true (default) + * 3. the keyUsageExtension bits are different and + * enableKeyUsageExtensionChecking=true (default) */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { + throws ERejectException { CMS.debug("UniqueSubjectNameConstraint: validate start"); CertificateSubjectName sn = null; - IAuthority authority = (IAuthority)CMS.getSubsystem("ca"); - + IAuthority authority = (IAuthority) CMS.getSubsystem("ca"); + mKeyUsageExtensionChecking = getConfigBoolean(CONFIG_KEY_USAGE_EXTENSION_CHECKING); ICertificateRepository certdb = null; if (authority != null && authority instanceof ICertificateAuthority) { - ICertificateAuthority ca = (ICertificateAuthority)authority; + ICertificateAuthority ca = (ICertificateAuthority) authority; certdb = ca.getCertificateRepository(); } - + try { sn = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); } catch (Exception e) { - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); } String certsubjectname = null; if (sn == null) - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); else { certsubjectname = sn.toString(); String filter = "x509Cert.subject=" + certsubjectname; @@ -184,7 +178,8 @@ public class UniqueSubjectNameConstraint extends EnrollConstraint { try { sameSubjRecords = certdb.findCertRecords(filter); } catch (EBaseException e) { - CMS.debug("UniqueSubjectNameConstraint exception: "+e.toString()); + CMS.debug("UniqueSubjectNameConstraint exception: " + + e.toString()); } while (sameSubjRecords != null && sameSubjRecords.hasMoreElements()) { ICertRecord rec = (ICertRecord) sameSubjRecords.nextElement(); @@ -194,7 +189,8 @@ public class UniqueSubjectNameConstraint extends EnrollConstraint { RevocationReason reason = null; if (revocationInfo != null) { - CRLExtensions crlExts = revocationInfo.getCRLEntryExtensions(); + CRLExtensions crlExts = revocationInfo + .getCRLEntryExtensions(); if (crlExts != null) { Enumeration enumx = crlExts.getElements(); @@ -209,35 +205,33 @@ public class UniqueSubjectNameConstraint extends EnrollConstraint { } } - if (status.equals(ICertRecord.STATUS_EXPIRED) || status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + if (status.equals(ICertRecord.STATUS_EXPIRED) + || status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { continue; } - if (status.equals(ICertRecord.STATUS_REVOKED) && reason != null && - (! reason.equals(RevocationReason.CERTIFICATE_HOLD))) { + if (status.equals(ICertRecord.STATUS_REVOKED) && reason != null + && (!reason.equals(RevocationReason.CERTIFICATE_HOLD))) { continue; } - if (mKeyUsageExtensionChecking && !sameKeyUsageExtension(rec, info)) { + if (mKeyUsageExtensionChecking + && !sameKeyUsageExtension(rec, info)) { continue; } - throw new ERejectException( - CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_SUBJECT_NAME_NOT_UNIQUE", - certsubjectname)); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_UNIQUE", certsubjectname)); } } - CMS.debug("UniqueSubjectNameConstraint: validate end"); + CMS.debug("UniqueSubjectNameConstraint: validate end"); } public String getText(Locale locale) { - String params[] = { - getConfig(CONFIG_KEY_USAGE_EXTENSION_CHECKING) - }; - return CMS.getUserMessage(locale, - "CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT", - params); + String params[] = { getConfig(CONFIG_KEY_USAGE_EXTENSION_CHECKING) }; + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT", params); } public boolean isApplicable(IPolicyDefault def) { diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java index 95c322214..33b1cb0d8 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.profile.constraint; - import java.io.IOException; import java.util.Date; import java.util.Locale; @@ -40,12 +39,10 @@ import com.netscape.cms.profile.def.NoDefault; import com.netscape.cms.profile.def.UserValidityDefault; import com.netscape.cms.profile.def.ValidityDefault; - /** - * This class implements the validity constraint. - * It checks if the validity in the certificate - * template satisfies the criteria. - * + * This class implements the validity constraint. It checks if the validity in + * the certificate template satisfies the criteria. + * * @version $Revision$, $Date$ */ public class ValidityConstraint extends EnrollConstraint { @@ -68,20 +65,19 @@ public class ValidityConstraint extends EnrollConstraint { } public void init(IProfile profile, IConfigStore config) - throws EProfileException { + throws EProfileException { super.init(profile, config); } - public void setConfig(String name, String value) - throws EPropertyException { - if (name.equals(CONFIG_RANGE) || - name.equals(CONFIG_NOT_BEFORE_GRACE_PERIOD)) { - try { - Integer.parseInt(value); - } catch (Exception e) { + public void setConfig(String name, String value) throws EPropertyException { + if (name.equals(CONFIG_RANGE) + || name.equals(CONFIG_NOT_BEFORE_GRACE_PERIOD)) { + try { + Integer.parseInt(value); + } catch (Exception e) { throw new EPropertyException(CMS.getUserMessage( - "CMS_INVALID_PROPERTY", name)); - } + "CMS_INVALID_PROPERTY", name)); + } } super.setConfig(name, value); } @@ -92,30 +88,32 @@ public class ValidityConstraint extends EnrollConstraint { CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE")); } else if (name.equals(CONFIG_NOT_BEFORE_GRACE_PERIOD)) { return new Descriptor(IDescriptor.INTEGER, null, "0", - CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD")); + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD")); } else if (name.equals(CONFIG_CHECK_NOT_BEFORE)) { return new Descriptor(IDescriptor.BOOLEAN, null, "false", - CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_CHECK_NOT_BEFORE")); + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_CHECK_NOT_BEFORE")); } else if (name.equals(CONFIG_CHECK_NOT_AFTER)) { return new Descriptor(IDescriptor.BOOLEAN, null, "false", - CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_CHECK_NOT_AFTER")); + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_CHECK_NOT_AFTER")); } return null; } /** - * Validates the request. The request is not modified - * during the validation. + * Validates the request. The request is not modified during the validation. */ public void validate(IRequest request, X509CertInfo info) - throws ERejectException { + throws ERejectException { CertificateValidity v = null; try { v = (CertificateValidity) info.get(X509CertInfo.VALIDITY); } catch (Exception e) { throw new ERejectException(CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_VALIDITY_NOT_FOUND")); + "CMS_PROFILE_VALIDITY_NOT_FOUND")); } Date notBefore = null; @@ -124,7 +122,7 @@ public class ValidityConstraint extends EnrollConstraint { } catch (IOException e) { CMS.debug("ValidityConstraint: not before not found"); throw new ERejectException(CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_VALIDITY_NOT_FOUND")); + "CMS_PROFILE_VALIDITY_NOT_FOUND")); } Date notAfter = null; @@ -133,33 +131,36 @@ public class ValidityConstraint extends EnrollConstraint { } catch (IOException e) { CMS.debug("ValidityConstraint: not after not found"); throw new ERejectException(CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_VALIDITY_NOT_FOUND")); + "CMS_PROFILE_VALIDITY_NOT_FOUND")); } if (notAfter.getTime() < notBefore.getTime()) { - CMS.debug("ValidityConstraint: notAfter (" + notAfter + ") < notBefore (" + notBefore + ")"); + CMS.debug("ValidityConstraint: notAfter (" + notAfter + + ") < notBefore (" + notBefore + ")"); throw new ERejectException(CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_NOT_AFTER_BEFORE_NOT_BEFORE")); + "CMS_PROFILE_NOT_AFTER_BEFORE_NOT_BEFORE")); } long millisDiff = notAfter.getTime() - notBefore.getTime(); - CMS.debug("ValidityConstraint: millisDiff=" + millisDiff + " notAfter=" + notAfter.getTime() + " notBefore=" + notBefore.getTime()); - long long_days = (millisDiff / 1000 ) / 86400; - CMS.debug("ValidityConstraint: long_days: "+long_days); - int days = (int)long_days; - CMS.debug("ValidityConstraint: days: "+days); + CMS.debug("ValidityConstraint: millisDiff=" + millisDiff + " notAfter=" + + notAfter.getTime() + " notBefore=" + notBefore.getTime()); + long long_days = (millisDiff / 1000) / 86400; + CMS.debug("ValidityConstraint: long_days: " + long_days); + int days = (int) long_days; + CMS.debug("ValidityConstraint: days: " + days); if (days > Integer.parseInt(getConfig(CONFIG_RANGE))) { - throw new ERejectException(CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_VALIDITY_OUT_OF_RANGE", - Integer.toString(days))); + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_VALIDITY_OUT_OF_RANGE", + Integer.toString(days))); } - // 613828 - // The validity field shall specify a notBefore value - // that does not precede the current time and a notAfter - // value that does not precede the value specified in - // notBefore (test can be automated; try entering violating + // 613828 + // The validity field shall specify a notBefore value + // that does not precede the current time and a notAfter + // value that does not precede the value specified in + // notBefore (test can be automated; try entering violating // time values and check result). String notBeforeCheckStr = getConfig(CONFIG_CHECK_NOT_BEFORE); boolean notBeforeCheck; @@ -167,7 +168,7 @@ public class ValidityConstraint extends EnrollConstraint { if (notBeforeCheckStr == null || notBeforeCheckStr.equals("")) { notBeforeCheckStr = "false"; } - notBeforeCheck = Boolean.valueOf(notBeforeCheckStr).booleanValue(); + notBeforeCheck = Boolean.valueOf(notBeforeCheckStr).booleanValue(); String notAfterCheckStr = getConfig(CONFIG_CHECK_NOT_AFTER); boolean notAfterCheck; @@ -175,34 +176,43 @@ public class ValidityConstraint extends EnrollConstraint { if (notAfterCheckStr == null || notAfterCheckStr.equals("")) { notAfterCheckStr = "false"; } - notAfterCheck = Boolean.valueOf(notAfterCheckStr).booleanValue(); + notAfterCheck = Boolean.valueOf(notAfterCheckStr).booleanValue(); String notBeforeGracePeriodStr = getConfig(CONFIG_NOT_BEFORE_GRACE_PERIOD); - if (notBeforeGracePeriodStr == null || notBeforeGracePeriodStr.equals("")) { + if (notBeforeGracePeriodStr == null + || notBeforeGracePeriodStr.equals("")) { notBeforeGracePeriodStr = "0"; } - long notBeforeGracePeriod = Long.parseLong(notBeforeGracePeriodStr) * SECS_IN_MS; + long notBeforeGracePeriod = Long.parseLong(notBeforeGracePeriodStr) + * SECS_IN_MS; Date current = CMS.getCurrentDate(); if (notBeforeCheck) { if (notBefore.getTime() > (current.getTime() + notBeforeGracePeriod)) { - CMS.debug("ValidityConstraint: notBefore (" + notBefore + ") > current + "+ - "gracePeriod (" + new Date(current.getTime() + notBeforeGracePeriod) + ")"); - throw new ERejectException(CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_NOT_BEFORE_AFTER_CURRENT")); + CMS.debug("ValidityConstraint: notBefore (" + notBefore + + ") > current + " + "gracePeriod (" + + new Date(current.getTime() + notBeforeGracePeriod) + + ")"); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_NOT_BEFORE_AFTER_CURRENT")); } } if (notAfterCheck) { if (notAfter.getTime() < current.getTime()) { - CMS.debug("ValidityConstraint: notAfter (" + notAfter + ") < current + (" + current + ")"); - throw new ERejectException(CMS.getUserMessage(getLocale(request), - "CMS_PROFILE_NOT_AFTER_BEFORE_CURRENT")); + CMS.debug("ValidityConstraint: notAfter (" + notAfter + + ") < current + (" + current + ")"); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_NOT_AFTER_BEFORE_CURRENT")); } } } public String getText(Locale locale) { - return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT", getConfig(CONFIG_RANGE)); + return CMS + .getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT", + getConfig(CONFIG_RANGE)); } public boolean isApplicable(IPolicyDefault def) { |