diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java | 183 |
1 files changed, 89 insertions, 94 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java b/pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java index 58d6aba6e..663585bf0 100644 --- a/pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java +++ b/pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.cert; + import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -46,21 +47,23 @@ import com.netscape.certsrv.publish.IPublisherProcessor; import com.netscape.certsrv.publish.IXcertPublisherProcessor; import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; + /** - * Subsystem for handling cross certificate pairing and publishing Intended use: + * Subsystem for handling cross certificate pairing and publishing + * Intended use: * <ul> - * <li>when signing a subordinate CA cert which is intended to be part of the - * crossCertificatePair - * <li>when this ca submits a request (with existing CA signing key material to - * another ca for cross-signing - * </ul> - * In both cases, administrator needs to "import" the crossSigned certificates - * via the admin console. When importCert() is called, the imported cert will be - * stored in the internal db first until it's pairing cert shows up. If it - * happens that the above two cases finds its pairing cert already there, then a - * CertifiatePair is created and put in the internal db - * "crosscertificatepair;binary" attribute - * + * <li> when signing a subordinate CA cert which is intended to be + * part of the crossCertificatePair + * <li> when this ca submits a request (with existing CA signing key + * material to another ca for cross-signing + *</ul> + * In both cases, administrator needs to "import" the crossSigned + * certificates via the admin console. When importCert() is called, + * the imported cert will be stored in the internal db + * first until it's pairing cert shows up. + * If it happens that the above two cases finds its pairing + * cert already there, then a CertifiatePair is created and put + * in the internal db "crosscertificatepair;binary" attribute * @author cfu * @version $Revision$, $Date$ */ @@ -97,7 +100,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { try { mConfig = config; mLogger = CMS.getLogger(); @@ -109,19 +112,21 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { if (ldapConfig == null) { log(ILogger.LL_MISCONF, - CMS.getLogMessage("CMSCORE_DBS_CONF_ERROR", PROP_LDAP)); + CMS.getLogMessage("CMSCORE_DBS_CONF_ERROR", + PROP_LDAP)); return; } mBaseDN = ldapConfig.getString(PROP_BASEDN, null); - + mLdapConnFactory = new LdapBoundConnFactory(); if (mLdapConnFactory != null) mLdapConnFactory.init(ldapConfig); else { log(ILogger.LL_MISCONF, - CMS.getLogMessage("CMSCORE_DBS_CONF_ERROR", PROP_LDAP)); + CMS.getLogMessage("CMSCORE_DBS_CONF_ERROR", + PROP_LDAP)); return; } } catch (EBaseException e) { @@ -132,12 +137,14 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } /** - * "import" the CA cert cross-signed by another CA (potentially a bridge CA) - * into internal ldap db. the imported cert will be stored in the internal - * db first until it's pairing cert shows up. If it happens that it finds - * its pairing cert already there, then a CertifiatePair is created and put + * "import" the CA cert cross-signed by another CA (potentially a + * bridge CA) into internal ldap db. + * the imported cert will be stored in the internal db + * first until it's pairing cert shows up. + * If it happens that it finds its pairing + * cert already there, then a CertifiatePair is created and put * in the internal db "crosscertificatepair;binary" attribute - * + * * @param certBytes cert in byte array to be imported */ public void importCert(byte[] certBytes) throws EBaseException { @@ -147,9 +154,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { try { cert = byteArray2X509Cert(certBytes); } catch (CertificateException e) { - throw new EBaseException( - "CrossCertPairSubsystem: importCert() failed:" - + e.toString()); + throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); } @@ -157,12 +162,14 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } /** - * "import" the CA cert cross-signed by another CA (potentially a bridge CA) - * into internal ldap db. the imported cert will be stored in the internal - * db first until it's pairing cert shows up. If it happens that it finds - * its pairing cert already there, then a CertifiatePair is created and put + * "import" the CA cert cross-signed by another CA (potentially a + * bridge CA) into internal ldap db. + * the imported cert will be stored in the internal db + * first until it's pairing cert shows up. + * If it happens that it finds its pairing + * cert already there, then a CertifiatePair is created and put * in the internal db "crosscertificatepair;binary" attribute - * + * * @param certBytes cert in byte array to be imported */ public synchronized void importCert(Object certObj) throws EBaseException { @@ -175,8 +182,8 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { // 1. does cert2 share the same key pair as this CA's signing // cert // 2. does cert2's subject match this CA's subject? - // 3. other valididity checks: is this a ca cert? Is this - // cert still valid? If the issuer is not yet trusted, let it + // 3. other valididity checks: is this a ca cert? Is this + // cert still valid? If the issuer is not yet trusted, let it // be. // get certs from internal db to see if we find a pair @@ -192,8 +199,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { LDAPEntry entry = (LDAPEntry) res.nextElement(); LDAPAttribute caCerts = entry.getAttribute(LDAP_ATTR_CA_CERT); - LDAPAttribute certPairs = entry - .getAttribute(LDAP_ATTR_XCERT_PAIR); + LDAPAttribute certPairs = entry.getAttribute(LDAP_ATTR_XCERT_PAIR); if (caCerts == null) { debug("no existing ca certs, just import"); @@ -202,7 +208,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } Enumeration en = caCerts.getByteValues(); - + if ((en == null) || (en.hasMoreElements() == false)) { debug("1st potential xcert"); addCAcert(conn, cert.getEncoded()); @@ -226,9 +232,8 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { // caCertificate attr, and publish if so configured debug("found a pair!"); CertificatePair cp = new - // CertificatePair(inCert.getEncoded(), - // cert.getEncoded()); - CertificatePair(inCert, cert); + // CertificatePair(inCert.getEncoded(), cert.getEncoded()); + CertificatePair(inCert, cert); addXCertPair(conn, certPairs, cp); deleteCAcert(conn, inCert.getEncoded()); @@ -237,7 +242,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { break; } } - } // while + } //while if (match == false) { // don't find a pair, add it into // caCertificate attr for later pairing @@ -251,32 +256,22 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { log(ILogger.LL_INFO, "ldap search found no " + DN_XCERTS); } } catch (IOException e) { - throw new EBaseException( - "CrossCertPairSubsystem: importCert() failed:" - + e.toString()); + throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); } catch (LDAPException e) { log(ILogger.LL_FAILURE, "exception: " + e.toString()); - throw new EBaseException( - "CrossCertPairSubsystem: importCert() failed:" - + e.toString()); + throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); } catch (ELdapException e) { log(ILogger.LL_FAILURE, "exception: " + e.toString()); - throw new EBaseException( - "CrossCertPairSubsystem: importCert() failed:" - + e.toString()); + throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); } catch (CertificateException e) { log(ILogger.LL_FAILURE, "exception: " + e.toString()); - throw new EBaseException( - "CrossCertPairSubsystem: importCert() failed:" - + e.toString()); + throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); } finally { try { returnConn(conn); } catch (ELdapException e) { log(ILogger.LL_FAILURE, "exception: " + e.toString()); - throw new EBaseException( - "CrossCertPairSubsystem: importCert() failed:" - + e.toString()); + throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); } } debug("importCert(Object) completed"); @@ -284,41 +279,41 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { /** * are cert1 and cert2 cross-signed certs? - * * @param cert1 the cert for comparison in our internal db * @param cert2 the cert that's being considered */ protected boolean arePair(X509Certificate cert1, X509Certificate cert2) { // 1. does cert1's issuer match cert2's subject? // 2. does cert2's issuer match cert1's subject? - if ((cert1.getIssuerDN().equals((Object) cert2.getSubjectDN())) - && (cert2.getIssuerDN().equals((Object) cert1.getSubjectDN()))) + if ((cert1.getIssuerDN().equals((Object) cert2.getSubjectDN())) + && (cert2.getIssuerDN().equals((Object) cert1.getSubjectDN()))) return true; else return false; } - public X509Certificate byteArray2X509Cert(byte[] certBytes) - throws CertificateException { + public X509Certificate byteArray2X509Cert(byte[] certBytes) + throws CertificateException { debug("in bytearray2X509Cert()"); - ByteArrayInputStream inStream = new ByteArrayInputStream(certBytes); + ByteArrayInputStream inStream = new + ByteArrayInputStream(certBytes); - CertificateFactory cf = CertificateFactory.getInstance("X.509"); + CertificateFactory cf = + CertificateFactory.getInstance("X.509"); - X509Certificate cert = (X509Certificate) cf - .generateCertificate(inStream); + X509Certificate cert = (X509Certificate) cf.generateCertificate(inStream); debug("done bytearray2X509Cert()"); return cert; } public synchronized void addXCertPair(LDAPConnection conn, - LDAPAttribute certPairs, CertificatePair pair) - throws LDAPException, IOException { + LDAPAttribute certPairs, CertificatePair pair) + throws LDAPException, IOException { ByteArrayOutputStream bos = new ByteArrayOutputStream(); pair.encode(bos); - + if (ByteValueExists(certPairs, bos.toByteArray()) == true) { debug("cross cert pair exists in internal db, don't add again"); return; @@ -327,9 +322,9 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { // add certificatePair LDAPModificationSet modSet = new LDAPModificationSet(); - modSet.add(LDAPModification.ADD, new LDAPAttribute( - LDAP_ATTR_XCERT_PAIR, bos.toByteArray())); - conn.modify(DN_XCERTS + "," + mBaseDN, modSet); + modSet.add(LDAPModification.ADD, + new LDAPAttribute(LDAP_ATTR_XCERT_PAIR, bos.toByteArray())); + conn.modify(DN_XCERTS + "," + mBaseDN, modSet); } /** @@ -371,22 +366,24 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { debug("exiting byteArraysAreEqual(): true"); return true; } - + public synchronized void addCAcert(LDAPConnection conn, byte[] certEnc) - throws LDAPException { - LDAPModificationSet modSet = new LDAPModificationSet(); - - modSet.add(LDAPModification.ADD, new LDAPAttribute(LDAP_ATTR_CA_CERT, - certEnc)); + throws LDAPException { + LDAPModificationSet modSet = new + LDAPModificationSet(); + + modSet.add(LDAPModification.ADD, + new LDAPAttribute(LDAP_ATTR_CA_CERT, certEnc)); conn.modify(DN_XCERTS + "," + mBaseDN, modSet); } public synchronized void deleteCAcert(LDAPConnection conn, byte[] certEnc) - throws LDAPException { - LDAPModificationSet modSet = new LDAPModificationSet(); + throws LDAPException { + LDAPModificationSet modSet = new + LDAPModificationSet(); - modSet.add(LDAPModification.DELETE, new LDAPAttribute( - LDAP_ATTR_CA_CERT, certEnc)); + modSet.add(LDAPModification.DELETE, + new LDAPAttribute(LDAP_ATTR_CA_CERT, certEnc)); conn.modify(DN_XCERTS + "," + mBaseDN, modSet); } @@ -396,7 +393,8 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { public synchronized void publishCertPairs() throws EBaseException { LDAPConnection conn = null; - if ((mPublisherProcessor == null) || !mPublisherProcessor.enabled()) + if ((mPublisherProcessor == null) || + !mPublisherProcessor.enabled()) return; try { @@ -423,7 +421,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } Enumeration en = xcerts.getByteValues(); - + if ((en == null) || (en.hasMoreElements() == false)) { debug("publishCertPair found no pairs in internal db"); return; @@ -437,23 +435,19 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { continue; } else { try { - // found a cross cert pair, publish if we could + //found a cross cert pair, publish if we could IXcertPublisherProcessor xp = null; xp = (IXcertPublisherProcessor) mPublisherProcessor; xp.publishXCertPair(val); } catch (Exception e) { - throw new EBaseException( - "CrossCertPairSubsystem: publishCertPairs() failed:" - + e.toString()); + throw new EBaseException("CrossCertPairSubsystem: publishCertPairs() failed:" + e.toString()); } } }// while - }// if + }//if } catch (Exception e) { - throw new EBaseException( - "CrossCertPairSubsystem: publishCertPairs() failed:" - + e.toString()); + throw new EBaseException("CrossCertPairSubsystem: publishCertPairs() failed:" + e.toString()); } } @@ -482,16 +476,16 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { try { mLdapConnFactory.reset(); } catch (ELdapException e) { - CMS.debug("CrossCertPairSubsystem shutdown exception: " - + e.toString()); + CMS.debug("CrossCertPairSubsystem shutdown exception: "+e.toString()); } } mLdapConnFactory = null; } /* - * Returns the root configuration storage of this system. <P> - * + * Returns the root configuration storage of this system. + * <P> + * * @return configuration store of this subsystem */ public IConfigStore getConfigStore() { @@ -499,7 +493,8 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } protected void log(int level, String msg) { - mLogger.log(ILogger.EV_SYSTEM, ILogger.S_XCERT, level, msg); + mLogger.log(ILogger.EV_SYSTEM, + ILogger.S_XCERT, level, msg); } private static void debug(String msg) { |