diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java | 143 |
1 files changed, 78 insertions, 65 deletions
diff --git a/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java b/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java index 902763b48..0dedf8f40 100644 --- a/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java +++ b/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.publish.publishers; - import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateEncodingException; @@ -51,13 +50,13 @@ import com.netscape.certsrv.ldap.ELdapServerDownException; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.publish.ILdapPublisher; - -/** - * Interface for mapping a X509 certificate to a LDAP entry - * +/** + * Interface for mapping a X509 certificate to a LDAP entry + * * @version $Revision$, $Date$ */ -public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPluginInfo { +public class LdapEncryptCertPublisher implements ILdapPublisher, + IExtendedPluginInfo { public static final String LDAP_USERCERT_ATTR = "userCertificate;binary"; public static final String PROP_REVOKE_CERT = "revokeCert"; @@ -81,11 +80,10 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin public String[] getExtendedPluginInfo(Locale locale) { String[] params = { "certAttr;string;LDAP attribute in which to store the certificate", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-ldappublish-publisher-usercertpublisher", - IExtendedPluginInfo.HELP_TEXT + - ";This plugin knows how to publish user certificates" - }; + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-ldappublish-publisher-usercertpublisher", + IExtendedPluginInfo.HELP_TEXT + + ";This plugin knows how to publish user certificates" }; return params; @@ -109,8 +107,7 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin return mConfig; } - public void init(IConfigStore config) - throws EBaseException { + public void init(IConfigStore config) throws EBaseException { if (mInited) return; mConfig = config; @@ -124,16 +121,16 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin } /** - * publish a user certificate - * Adds the cert to the multi-valued certificate attribute as a - * DER encoded binary blob. Does not check if cert already exists. + * publish a user certificate Adds the cert to the multi-valued certificate + * attribute as a DER encoded binary blob. Does not check if cert already + * exists. * * @param conn the LDAP connection * @param dn dn of the entry to publish the certificate - * @param certObj the certificate object. + * @param certObj the certificate object. */ public void publish(LDAPConnection conn, String dn, Object certObj) - throws ELdapException { + throws ELdapException { if (conn == null) return; @@ -147,45 +144,52 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin byte[] certEnc = cert.getEncoded(); // check if cert already exists. - LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE, + LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)", new String[] { mCertAttr }, false); LDAPEntry entry = res.next(); - LDAPAttribute attr = getModificationAttribute(entry.getAttribute(mCertAttr), certEnc); + LDAPAttribute attr = getModificationAttribute( + entry.getAttribute(mCertAttr), certEnc); if (attr == null) { log(ILogger.LL_INFO, "publish: " + dn + " already has cert."); return; } - // publish - LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr); + // publish + LDAPModification mod = new LDAPModification( + LDAPModification.REPLACE, attr); - conn.modify(dn, mod); + conn.modify(dn, mod); } catch (CertificateEncodingException e) { - CMS.debug("LdapEncryptCertPublisher: error in publish: " + e.toString()); - throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString())); + CMS.debug("LdapEncryptCertPublisher: error in publish: " + + e.toString()); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString())); } catch (LDAPException e) { if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) { // need to intercept this because message from LDAP is // "DSA is unavailable" which confuses with DSA PKI. log(ILogger.LL_FAILURE, - CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER")); - throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); + CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER")); + throw new ELdapServerDownException(CMS.getUserMessage( + "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + + conn.getPort())); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString())); - throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "PUBLISH_PUBLISH_ERROR", e.toString())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString())); } } return; } /** - * unpublish a user certificate - * deletes the certificate from the list of certificates. - * does not check if certificate is already there. + * unpublish a user certificate deletes the certificate from the list of + * certificates. does not check if certificate is already there. */ public void unpublish(LDAPConnection conn, String dn, Object certObj) - throws ELdapException { + throws ELdapException { if (!(certObj instanceof X509Certificate)) throw new IllegalArgumentException("Illegal arg to publish"); @@ -195,7 +199,7 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin byte[] certEnc = cert.getEncoded(); // check if cert already deleted. - LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE, + LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)", new String[] { mCertAttr }, false); LDAPEntry entry = res.next(); @@ -204,23 +208,31 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin return; } - LDAPModification mod = new LDAPModification(LDAPModification.DELETE, - new LDAPAttribute(mCertAttr, certEnc)); + LDAPModification mod = new LDAPModification( + LDAPModification.DELETE, new LDAPAttribute(mCertAttr, + certEnc)); - conn.modify(dn, mod); + conn.modify(dn, mod); } catch (CertificateEncodingException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString())); - throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString())); } catch (LDAPException e) { if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) { // need to intercept this because message from LDAP is // "DSA is unavailable" which confuses with DSA PKI. log(ILogger.LL_FAILURE, - CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER")); - throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); + CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER")); + throw new ELdapServerDownException(CMS.getUserMessage( + "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + + conn.getPort())); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString())); - throw new ELdapException(CMS.getUserMessage("CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", + e.toString())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString())); } } return; @@ -228,11 +240,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin private void log(int level, String msg) { mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level, - "LdapUserCertPublisher: " + msg); + "LdapUserCertPublisher: " + msg); } - public LDAPAttribute getModificationAttribute( - LDAPAttribute attr, byte[] bval) { + public LDAPAttribute getModificationAttribute(LDAPAttribute attr, + byte[] bval) { LDAPAttribute at = new LDAPAttribute(attr.getName(), bval); // determine if the given cert is a signing or an encryption @@ -256,13 +268,13 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin X509CertImpl cert = new X509CertImpl(val); log(ILogger.LL_INFO, "Checking " + cert); - if (CMS.isEncryptionCert(thisCert) && - CMS.isEncryptionCert(cert)) { + if (CMS.isEncryptionCert(thisCert) + && CMS.isEncryptionCert(cert)) { // skip log(ILogger.LL_INFO, "SKIP ENCRYPTION " + cert); revokeCert(cert); - } else if (CMS.isSigningCert(thisCert) && - CMS.isSigningCert(cert)) { + } else if (CMS.isSigningCert(thisCert) + && CMS.isSigningCert(cert)) { // skip log(ILogger.LL_INFO, "SKIP SIGNING " + cert); revokeCert(cert); @@ -270,33 +282,35 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin at.addValue(val); } } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CHECK_FAILED", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("PUBLISH_CHECK_FAILED", e.toString())); } } return at; } - private RevokedCertImpl formCRLEntry( - BigInteger serialNo, RevocationReason reason) - throws EBaseException { + private RevokedCertImpl formCRLEntry(BigInteger serialNo, + RevocationReason reason) throws EBaseException { CRLReasonExtension reasonExt = new CRLReasonExtension(reason); CRLExtensions crlentryexts = new CRLExtensions(); try { crlentryexts.set(CRLReasonExtension.NAME, reasonExt); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_SET_CRL_REASON", reason.toString(), e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("PUBLISH_SET_CRL_REASON", + reason.toString(), e.toString())); - throw new ELdapException(CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString())); + throw new ELdapException(CMS.getUserMessage( + "CMS_LDAP_INTERNAL_ERROR", e.toString())); } - RevokedCertImpl crlentry = - new RevokedCertImpl(serialNo, new Date(), crlentryexts); + RevokedCertImpl crlentry = new RevokedCertImpl(serialNo, new Date(), + crlentryexts); return crlentry; } - private void revokeCert(X509CertImpl cert) - throws EBaseException { + private void revokeCert(X509CertImpl cert) throws EBaseException { try { if (mConfig.getBoolean(PROP_REVOKE_CERT, true) == false) { return; @@ -306,11 +320,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin } BigInteger serialNum = cert.getSerialNumber(); // need to revoke certificate also - ICertificateAuthority ca = (ICertificateAuthority) - CMS.getSubsystem("ca"); + ICertificateAuthority ca = (ICertificateAuthority) CMS + .getSubsystem("ca"); ICAService service = (ICAService) ca.getCAService(); - RevokedCertImpl crlEntry = formCRLEntry( - serialNum, RevocationReason.KEY_COMPROMISE); + RevokedCertImpl crlEntry = formCRLEntry(serialNum, + RevocationReason.KEY_COMPROMISE); service.revokeCert(crlEntry); } @@ -354,4 +368,3 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin } } - |