summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java143
1 files changed, 78 insertions, 65 deletions
diff --git a/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java b/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
index 902763b48..0dedf8f40 100644
--- a/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
+++ b/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.publish.publishers;
-
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.CertificateEncodingException;
@@ -51,13 +50,13 @@ import com.netscape.certsrv.ldap.ELdapServerDownException;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.publish.ILdapPublisher;
-
-/**
- * Interface for mapping a X509 certificate to a LDAP entry
- *
+/**
+ * Interface for mapping a X509 certificate to a LDAP entry
+ *
* @version $Revision$, $Date$
*/
-public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPluginInfo {
+public class LdapEncryptCertPublisher implements ILdapPublisher,
+ IExtendedPluginInfo {
public static final String LDAP_USERCERT_ATTR = "userCertificate;binary";
public static final String PROP_REVOKE_CERT = "revokeCert";
@@ -81,11 +80,10 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
public String[] getExtendedPluginInfo(Locale locale) {
String[] params = {
"certAttr;string;LDAP attribute in which to store the certificate",
- IExtendedPluginInfo.HELP_TOKEN +
- ";configuration-ldappublish-publisher-usercertpublisher",
- IExtendedPluginInfo.HELP_TEXT +
- ";This plugin knows how to publish user certificates"
- };
+ IExtendedPluginInfo.HELP_TOKEN
+ + ";configuration-ldappublish-publisher-usercertpublisher",
+ IExtendedPluginInfo.HELP_TEXT
+ + ";This plugin knows how to publish user certificates" };
return params;
@@ -109,8 +107,7 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
return mConfig;
}
- public void init(IConfigStore config)
- throws EBaseException {
+ public void init(IConfigStore config) throws EBaseException {
if (mInited)
return;
mConfig = config;
@@ -124,16 +121,16 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
}
/**
- * publish a user certificate
- * Adds the cert to the multi-valued certificate attribute as a
- * DER encoded binary blob. Does not check if cert already exists.
+ * publish a user certificate Adds the cert to the multi-valued certificate
+ * attribute as a DER encoded binary blob. Does not check if cert already
+ * exists.
*
* @param conn the LDAP connection
* @param dn dn of the entry to publish the certificate
- * @param certObj the certificate object.
+ * @param certObj the certificate object.
*/
public void publish(LDAPConnection conn, String dn, Object certObj)
- throws ELdapException {
+ throws ELdapException {
if (conn == null)
return;
@@ -147,45 +144,52 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
byte[] certEnc = cert.getEncoded();
// check if cert already exists.
- LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
+ LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
"(objectclass=*)", new String[] { mCertAttr }, false);
LDAPEntry entry = res.next();
- LDAPAttribute attr = getModificationAttribute(entry.getAttribute(mCertAttr), certEnc);
+ LDAPAttribute attr = getModificationAttribute(
+ entry.getAttribute(mCertAttr), certEnc);
if (attr == null) {
log(ILogger.LL_INFO, "publish: " + dn + " already has cert.");
return;
}
- // publish
- LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr);
+ // publish
+ LDAPModification mod = new LDAPModification(
+ LDAPModification.REPLACE, attr);
- conn.modify(dn, mod);
+ conn.modify(dn, mod);
} catch (CertificateEncodingException e) {
- CMS.debug("LdapEncryptCertPublisher: error in publish: " + e.toString());
- throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+ CMS.debug("LdapEncryptCertPublisher: error in publish: "
+ + e.toString());
+ throw new ELdapException(CMS.getUserMessage(
+ "CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
} catch (LDAPException e) {
if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
// need to intercept this because message from LDAP is
// "DSA is unavailable" which confuses with DSA PKI.
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
- throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
+ CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+ throw new ELdapServerDownException(CMS.getUserMessage(
+ "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+ + conn.getPort()));
} else {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString()));
- throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage(
+ "PUBLISH_PUBLISH_ERROR", e.toString()));
+ throw new ELdapException(CMS.getUserMessage(
+ "CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString()));
}
}
return;
}
/**
- * unpublish a user certificate
- * deletes the certificate from the list of certificates.
- * does not check if certificate is already there.
+ * unpublish a user certificate deletes the certificate from the list of
+ * certificates. does not check if certificate is already there.
*/
public void unpublish(LDAPConnection conn, String dn, Object certObj)
- throws ELdapException {
+ throws ELdapException {
if (!(certObj instanceof X509Certificate))
throw new IllegalArgumentException("Illegal arg to publish");
@@ -195,7 +199,7 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
byte[] certEnc = cert.getEncoded();
// check if cert already deleted.
- LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
+ LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
"(objectclass=*)", new String[] { mCertAttr }, false);
LDAPEntry entry = res.next();
@@ -204,23 +208,31 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
return;
}
- LDAPModification mod = new LDAPModification(LDAPModification.DELETE,
- new LDAPAttribute(mCertAttr, certEnc));
+ LDAPModification mod = new LDAPModification(
+ LDAPModification.DELETE, new LDAPAttribute(mCertAttr,
+ certEnc));
- conn.modify(dn, mod);
+ conn.modify(dn, mod);
} catch (CertificateEncodingException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
- throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+ throw new ELdapException(CMS.getUserMessage(
+ "CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
} catch (LDAPException e) {
if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
// need to intercept this because message from LDAP is
// "DSA is unavailable" which confuses with DSA PKI.
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
- throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
+ CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+ throw new ELdapServerDownException(CMS.getUserMessage(
+ "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
+ + conn.getPort()));
} else {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
- throw new ELdapException(CMS.getUserMessage("CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR",
+ e.toString()));
+ throw new ELdapException(CMS.getUserMessage(
+ "CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString()));
}
}
return;
@@ -228,11 +240,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
private void log(int level, String msg) {
mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
- "LdapUserCertPublisher: " + msg);
+ "LdapUserCertPublisher: " + msg);
}
- public LDAPAttribute getModificationAttribute(
- LDAPAttribute attr, byte[] bval) {
+ public LDAPAttribute getModificationAttribute(LDAPAttribute attr,
+ byte[] bval) {
LDAPAttribute at = new LDAPAttribute(attr.getName(), bval);
// determine if the given cert is a signing or an encryption
@@ -256,13 +268,13 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
X509CertImpl cert = new X509CertImpl(val);
log(ILogger.LL_INFO, "Checking " + cert);
- if (CMS.isEncryptionCert(thisCert) &&
- CMS.isEncryptionCert(cert)) {
+ if (CMS.isEncryptionCert(thisCert)
+ && CMS.isEncryptionCert(cert)) {
// skip
log(ILogger.LL_INFO, "SKIP ENCRYPTION " + cert);
revokeCert(cert);
- } else if (CMS.isSigningCert(thisCert) &&
- CMS.isSigningCert(cert)) {
+ } else if (CMS.isSigningCert(thisCert)
+ && CMS.isSigningCert(cert)) {
// skip
log(ILogger.LL_INFO, "SKIP SIGNING " + cert);
revokeCert(cert);
@@ -270,33 +282,35 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
at.addValue(val);
}
} catch (Exception e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CHECK_FAILED", e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("PUBLISH_CHECK_FAILED", e.toString()));
}
}
return at;
}
- private RevokedCertImpl formCRLEntry(
- BigInteger serialNo, RevocationReason reason)
- throws EBaseException {
+ private RevokedCertImpl formCRLEntry(BigInteger serialNo,
+ RevocationReason reason) throws EBaseException {
CRLReasonExtension reasonExt = new CRLReasonExtension(reason);
CRLExtensions crlentryexts = new CRLExtensions();
try {
crlentryexts.set(CRLReasonExtension.NAME, reasonExt);
} catch (IOException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_SET_CRL_REASON", reason.toString(), e.toString()));
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("PUBLISH_SET_CRL_REASON",
+ reason.toString(), e.toString()));
- throw new ELdapException(CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
+ throw new ELdapException(CMS.getUserMessage(
+ "CMS_LDAP_INTERNAL_ERROR", e.toString()));
}
- RevokedCertImpl crlentry =
- new RevokedCertImpl(serialNo, new Date(), crlentryexts);
+ RevokedCertImpl crlentry = new RevokedCertImpl(serialNo, new Date(),
+ crlentryexts);
return crlentry;
}
- private void revokeCert(X509CertImpl cert)
- throws EBaseException {
+ private void revokeCert(X509CertImpl cert) throws EBaseException {
try {
if (mConfig.getBoolean(PROP_REVOKE_CERT, true) == false) {
return;
@@ -306,11 +320,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
}
BigInteger serialNum = cert.getSerialNumber();
// need to revoke certificate also
- ICertificateAuthority ca = (ICertificateAuthority)
- CMS.getSubsystem("ca");
+ ICertificateAuthority ca = (ICertificateAuthority) CMS
+ .getSubsystem("ca");
ICAService service = (ICAService) ca.getCAService();
- RevokedCertImpl crlEntry = formCRLEntry(
- serialNum, RevocationReason.KEY_COMPROMISE);
+ RevokedCertImpl crlEntry = formCRLEntry(serialNum,
+ RevocationReason.KEY_COMPROMISE);
service.revokeCert(crlEntry);
}
@@ -354,4 +368,3 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPlugin
}
}
-
generated by cgit (git 2.34.1) at 2024-07-05 16:49:19 +0000