From 621d9e5c413e561293d7484b93882d985b3fe15f Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Sat, 24 Mar 2012 02:27:47 -0500 Subject: Removed unnecessary pki folder. Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131 --- .../netscape/cms/profile/common/BasicProfile.java | 1171 ++++++++++++++++ .../cms/profile/common/CACertCAEnrollProfile.java | 107 ++ .../cms/profile/common/CAEnrollProfile.java | 242 ++++ .../netscape/cms/profile/common/EnrollProfile.java | 1468 ++++++++++++++++++++ .../cms/profile/common/EnrollProfileContext.java | 31 + .../cms/profile/common/ProfileContext.java | 39 + .../netscape/cms/profile/common/ProfilePolicy.java | 53 + .../cms/profile/common/RAEnrollProfile.java | 128 ++ .../profile/common/ServerCertCAEnrollProfile.java | 100 ++ .../profile/common/UserCertCAEnrollProfile.java | 100 ++ .../constraint/BasicConstraintsExtConstraint.java | 224 +++ .../cms/profile/constraint/CAEnrollConstraint.java | 48 + .../profile/constraint/CAValidityConstraint.java | 139 ++ .../cms/profile/constraint/EnrollConstraint.java | 214 +++ .../constraint/ExtendedKeyUsageExtConstraint.java | 156 +++ .../profile/constraint/ExtensionConstraint.java | 146 ++ .../cms/profile/constraint/KeyConstraint.java | 644 +++++++++ .../profile/constraint/KeyUsageExtConstraint.java | 291 ++++ .../constraint/NSCertTypeExtConstraint.java | 243 ++++ .../cms/profile/constraint/NoConstraint.java | 101 ++ .../constraint/RenewGracePeriodConstraint.java | 165 +++ .../profile/constraint/SigningAlgConstraint.java | 160 +++ .../profile/constraint/SubjectNameConstraint.java | 136 ++ .../profile/constraint/UniqueKeyConstraint.java | 295 ++++ .../constraint/UniqueSubjectNameConstraint.java | 251 ++++ .../cms/profile/constraint/ValidityConstraint.java | 218 +++ .../cms/profile/def/AuthInfoAccessExtDefault.java | 454 ++++++ .../profile/def/AuthTokenSubjectNameDefault.java | 152 ++ .../def/AuthorityKeyIdentifierExtDefault.java | 190 +++ .../cms/profile/def/AutoAssignDefault.java | 96 ++ .../profile/def/BasicConstraintsExtDefault.java | 297 ++++ .../netscape/cms/profile/def/CAEnrollDefault.java | 106 ++ .../cms/profile/def/CAValidityDefault.java | 348 +++++ .../def/CRLDistributionPointsExtDefault.java | 696 ++++++++++ .../profile/def/CertificatePoliciesExtDefault.java | 796 +++++++++++ .../cms/profile/def/CertificateVersionDefault.java | 193 +++ .../netscape/cms/profile/def/EnrollDefault.java | 815 +++++++++++ .../netscape/cms/profile/def/EnrollExtDefault.java | 28 + .../profile/def/ExtendedKeyUsageExtDefault.java | 250 ++++ .../cms/profile/def/FreshestCRLExtDefault.java | 584 ++++++++ .../cms/profile/def/GenericExtDefault.java | 260 ++++ .../com/netscape/cms/profile/def/ImageDefault.java | 105 ++ .../profile/def/InhibitAnyPolicyExtDefault.java | 271 ++++ .../cms/profile/def/IssuerAltNameExtDefault.java | 317 +++++ .../cms/profile/def/KeyUsageExtDefault.java | 511 +++++++ .../cms/profile/def/NSCCommentExtDefault.java | 246 ++++ .../cms/profile/def/NSCertTypeExtDefault.java | 419 ++++++ .../cms/profile/def/NameConstraintsExtDefault.java | 670 +++++++++ .../com/netscape/cms/profile/def/NoDefault.java | 111 ++ .../cms/profile/def/OCSPNoCheckExtDefault.java | 185 +++ .../profile/def/PolicyConstraintsExtDefault.java | 287 ++++ .../cms/profile/def/PolicyMappingsExtDefault.java | 420 ++++++ .../def/PrivateKeyUsagePeriodExtDefault.java | 316 +++++ .../cms/profile/def/SigningAlgDefault.java | 183 +++ .../cms/profile/def/SubjectAltNameExtDefault.java | 542 ++++++++ .../def/SubjectDirAttributesExtDefault.java | 527 +++++++ .../profile/def/SubjectInfoAccessExtDefault.java | 448 ++++++ .../def/SubjectKeyIdentifierExtDefault.java | 217 +++ .../cms/profile/def/SubjectNameDefault.java | 184 +++ .../cms/profile/def/UserExtensionDefault.java | 136 ++ .../netscape/cms/profile/def/UserKeyDefault.java | 233 ++++ .../cms/profile/def/UserSigningAlgDefault.java | 126 ++ .../cms/profile/def/UserSubjectNameDefault.java | 143 ++ .../cms/profile/def/UserValidityDefault.java | 149 ++ .../netscape/cms/profile/def/ValidityDefault.java | 263 ++++ .../cms/profile/def/nsHKeySubjectNameDefault.java | 215 +++ .../cms/profile/def/nsNKeySubjectNameDefault.java | 423 ++++++ .../def/nsTokenDeviceKeySubjectNameDefault.java | 215 +++ .../def/nsTokenUserKeySubjectNameDefault.java | 456 ++++++ .../cms/profile/input/CMCCertReqInput.java | 122 ++ .../netscape/cms/profile/input/CertReqInput.java | 185 +++ .../cms/profile/input/DualKeyGenInput.java | 163 +++ .../cms/profile/input/EncryptionKeyGenInput.java | 184 +++ .../netscape/cms/profile/input/EnrollInput.java | 303 ++++ .../cms/profile/input/FileSigningInput.java | 143 ++ .../netscape/cms/profile/input/GenericInput.java | 160 +++ .../com/netscape/cms/profile/input/ImageInput.java | 89 ++ .../netscape/cms/profile/input/KeyGenInput.java | 184 +++ .../cms/profile/input/SerialNumRenewInput.java | 89 ++ .../cms/profile/input/SigningKeyGenInput.java | 184 +++ .../netscape/cms/profile/input/SubjectDNInput.java | 142 ++ .../cms/profile/input/SubjectNameInput.java | 382 +++++ .../cms/profile/input/SubmitterInfoInput.java | 102 ++ .../cms/profile/input/nsHKeyCertReqInput.java | 160 +++ .../cms/profile/input/nsNKeyCertReqInput.java | 129 ++ .../netscape/cms/profile/output/CMMFOutput.java | 161 +++ .../netscape/cms/profile/output/CertOutput.java | 120 ++ .../netscape/cms/profile/output/EnrollOutput.java | 134 ++ .../netscape/cms/profile/output/PKCS7Output.java | 158 +++ .../netscape/cms/profile/output/nsNKeyOutput.java | 110 ++ .../cms/profile/updater/SubsystemGroupUpdater.java | 321 +++++ 91 files changed, 24178 insertions(+) create mode 100644 base/common/src/com/netscape/cms/profile/common/BasicProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/EnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java create mode 100644 base/common/src/com/netscape/cms/profile/common/ProfileContext.java create mode 100644 base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java create mode 100644 base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java create mode 100644 base/common/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/AutoAssignDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/BasicConstraintsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CAEnrollDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CRLDistributionPointsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CertificatePoliciesExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/CertificateVersionDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/EnrollDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/EnrollExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/FreshestCRLExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/GenericExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/ImageDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/InhibitAnyPolicyExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/KeyUsageExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/NSCCommentExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/NSCertTypeExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/NoDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/OCSPNoCheckExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/PolicyConstraintsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/PolicyMappingsExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SigningAlgDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectDirAttributesExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectInfoAccessExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserExtensionDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserKeyDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserSigningAlgDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/UserValidityDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/ValidityDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/nsHKeySubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/nsNKeySubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/nsTokenDeviceKeySubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java create mode 100644 base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/CertReqInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/DualKeyGenInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/EnrollInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/FileSigningInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/GenericInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/ImageInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/KeyGenInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SubjectDNInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SubjectNameInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/SubmitterInfoInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/nsHKeyCertReqInput.java create mode 100644 base/common/src/com/netscape/cms/profile/input/nsNKeyCertReqInput.java create mode 100644 base/common/src/com/netscape/cms/profile/output/CMMFOutput.java create mode 100644 base/common/src/com/netscape/cms/profile/output/CertOutput.java create mode 100644 base/common/src/com/netscape/cms/profile/output/EnrollOutput.java create mode 100644 base/common/src/com/netscape/cms/profile/output/PKCS7Output.java create mode 100644 base/common/src/com/netscape/cms/profile/output/nsNKeyOutput.java create mode 100644 base/common/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java (limited to 'base/common/src/com/netscape/cms/profile') diff --git a/base/common/src/com/netscape/cms/profile/common/BasicProfile.java b/base/common/src/com/netscape/cms/profile/common/BasicProfile.java new file mode 100644 index 000000000..696d0cd13 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/BasicProfile.java @@ -0,0 +1,1171 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.Vector; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthSubsystem; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyConstraint; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileAuthenticator; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.profile.IProfileOutput; +import com.netscape.certsrv.profile.IProfilePolicy; +import com.netscape.certsrv.profile.IProfileSubsystem; +import com.netscape.certsrv.profile.IProfileUpdater; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.registry.IPluginInfo; +import com.netscape.certsrv.registry.IPluginRegistry; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.RequestStatus; + +/** + * This class implements a basic profile. + * + * @version $Revision$, $Date$ + */ +public abstract class BasicProfile implements IProfile { + + public static final String PROP_ENABLE = "enable"; + public static final String PROP_ENABLE_BY = "enableBy"; + public static final String PROP_IS_RENEWAL = "renewal"; + public static final String PROP_XML_OUTPUT = "xmlOutput"; + public static final String PROP_VISIBLE = "visible"; + public static final String PROP_INPUT_LIST = "list"; + public static final String PROP_OUTPUT_LIST = "list"; + public static final String PROP_UPDATER_LIST = "list"; + public static final String PROP_POLICY_LIST = "list"; + public static final String PROP_DEFAULT = "default"; + public static final String PROP_CONSTRAINT = "constraint"; + public static final String PROP_INPUT = "input"; + public static final String PROP_OUTPUT = "output"; + public static final String PROP_CLASS_ID = "class_id"; + public static final String PROP_INSTANCE_ID = "instance_id"; + public static final String PROP_PARAMS = "params"; + public static final String PROP_NAME = "name"; + public static final String PROP_DESC = "desc"; + public static final String PROP_NO_DEFAULT = "noDefaultImpl"; + public static final String PROP_NO_CONSTRAINT = "noConstraintImpl"; + public static final String PROP_GENERIC_EXT_DEFAULT = "genericExtDefaultImpl"; + + protected IProfileSubsystem mOwner = null; + protected IConfigStore mConfig = null; + protected IPluginRegistry mRegistry = null; + + protected Vector mInputNames = new Vector(); + protected Hashtable mInputs = new Hashtable(); + protected Vector mInputIds = new Vector(); + protected Hashtable mOutputs = new Hashtable(); + protected Vector mOutputIds = new Vector(); + protected Hashtable mUpdaters = new Hashtable(); + protected Vector mUpdaterIds = new Vector(); + protected IProfileAuthenticator mAuthenticator = null; + protected String mAuthInstanceId = null; + protected String mId = null; + protected String mAuthzAcl = ""; + + protected Hashtable> mPolicySet = new Hashtable>(); + + protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + + public BasicProfile() { + } + + public boolean isEnable() { + try { + return mConfig.getBoolean(PROP_ENABLE, false); + } catch (EBaseException e) { + return false; + } + } + + public String isRenewal() { + try { + return mConfig.getString(PROP_IS_RENEWAL, "false"); + } catch (EBaseException e) { + return "false"; + } + } + + public String isXmlOutput() { + try { + return mConfig.getString(PROP_XML_OUTPUT, "false"); + } catch (EBaseException e) { + return "false"; + } + } + + public String getApprovedBy() { + try { + return mConfig.getString(PROP_ENABLE_BY, ""); + } catch (EBaseException e) { + return ""; + } + } + + public void setId(String id) { + mId = id; + } + + public String getId() { + return mId; + } + + public IProfileAuthenticator getAuthenticator() throws EProfileException { + try { + IAuthSubsystem authSub = (IAuthSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + IProfileAuthenticator auth = (IProfileAuthenticator) + authSub.get(mAuthInstanceId); + + if (mAuthInstanceId != null && mAuthInstanceId.length() > 0 + && auth == null) { + throw new EProfileException("Cannot load " + + mAuthInstanceId); + } + return auth; + } catch (Exception e) { + if (mAuthInstanceId != null) { + throw new EProfileException("Cannot load " + + mAuthInstanceId); + } + return null; + } + } + + public String getRequestorDN(IRequest request) { + return null; + } + + public String getAuthenticatorId() { + return mAuthInstanceId; + } + + public void setAuthenticatorId(String id) { + mAuthInstanceId = id; + mConfig.putString("auth." + PROP_INSTANCE_ID, id); + } + + public String getAuthzAcl() { + return mAuthzAcl; + } + + /** + * Initializes this profile. + */ + public void init(IProfileSubsystem owner, IConfigStore config) + throws EBaseException { + CMS.debug("BasicProfile: start init"); + mOwner = owner; + mConfig = config; + + mRegistry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); + + // Configure File Formats: + // visible + // auth.class_id=NoAuthImpl + // auth.params.x1=x1 + // input.list=i1,i2,... + // input.i1.class=com.netscape.cms.profile.input.CertReqInput + // input.i1.params.x1=x1 + // policy.list=p1,p2,... + // policy.p1.enable=true + // policy.p1.default.class=com.netscape.cms.profile.defaults.SubjectName + // policy.p1.default.params.x1=x1 + // policy.p1.default.params.x2=x2 + // policy.p1.constraint.class= ... .cms.profile.constraints.ValidityRange + // policy.p1.constraint.params.x1=x1 + // policy.p1.constraint.params.x2=x2 + + // handle profile authentication plugins + try { + mAuthInstanceId = config.getString("auth." + PROP_INSTANCE_ID, null); + mAuthzAcl = config.getString("authz.acl", ""); + } catch (EBaseException e) { + CMS.debug("BasicProfile: authentication class not found " + + e.toString()); + } + + // handle profile input plugins + IConfigStore inputStore = config.getSubStore("input"); + String input_list = inputStore.getString(PROP_INPUT_LIST, ""); + StringTokenizer input_st = new StringTokenizer(input_list, ","); + + while (input_st.hasMoreTokens()) { + String input_id = input_st.nextToken(); + String inputClassId = inputStore.getString(input_id + "." + + PROP_CLASS_ID); + IPluginInfo inputInfo = mRegistry.getPluginInfo("profileInput", + inputClassId); + String inputClass = inputInfo.getClassName(); + + IProfileInput input = null; + + try { + input = (IProfileInput) + Class.forName(inputClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: input plugin Class.forName " + + inputClass + " " + e.toString()); + throw new EBaseException(e.toString()); + } + IConfigStore inputConfig = inputStore.getSubStore(input_id); + input.init(this, inputConfig); + mInputs.put(input_id, input); + mInputIds.addElement(input_id); + } + + // handle profile output plugins + IConfigStore outputStore = config.getSubStore("output"); + String output_list = outputStore.getString(PROP_OUTPUT_LIST, ""); + StringTokenizer output_st = new StringTokenizer(output_list, ","); + + while (output_st.hasMoreTokens()) { + String output_id = output_st.nextToken(); + + String outputClassId = outputStore.getString(output_id + "." + + PROP_CLASS_ID); + IPluginInfo outputInfo = mRegistry.getPluginInfo("profileOutput", + outputClassId); + String outputClass = outputInfo.getClassName(); + + IProfileOutput output = null; + + try { + output = (IProfileOutput) + Class.forName(outputClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: output plugin Class.forName " + + outputClass + " " + e.toString()); + throw new EBaseException(e.toString()); + } + IConfigStore outputConfig = outputStore.getSubStore(output_id); + output.init(this, outputConfig); + mOutputs.put(output_id, output); + mOutputIds.addElement(output_id); + } + + // handle profile output plugins + IConfigStore updaterStore = config.getSubStore("updater"); + String updater_list = updaterStore.getString(PROP_UPDATER_LIST, ""); + StringTokenizer updater_st = new StringTokenizer(updater_list, ","); + + while (updater_st.hasMoreTokens()) { + String updater_id = updater_st.nextToken(); + + String updaterClassId = updaterStore.getString(updater_id + "." + + PROP_CLASS_ID); + IPluginInfo updaterInfo = mRegistry.getPluginInfo("profileUpdater", + updaterClassId); + String updaterClass = updaterInfo.getClassName(); + + IProfileUpdater updater = null; + + try { + updater = (IProfileUpdater) + Class.forName(updaterClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: updater plugin Class.forName " + + updaterClass + " " + e.toString()); + throw new EBaseException(e.toString()); + } + IConfigStore updaterConfig = updaterStore.getSubStore(updater_id); + updater.init(this, updaterConfig); + mUpdaters.put(updater_id, updater); + mUpdaterIds.addElement(updater_id); + } + + // handle profile policy plugins + IConfigStore policySetStore = config.getSubStore("policyset"); + String setlist = policySetStore.getString("list", ""); + StringTokenizer st = new StringTokenizer(setlist, ","); + + while (st.hasMoreTokens()) { + String setId = st.nextToken(); + + IConfigStore policyStore = policySetStore.getSubStore(setId); + String list = policyStore.getString(PROP_POLICY_LIST, ""); + StringTokenizer st1 = new StringTokenizer(list, ","); + + while (st1.hasMoreTokens()) { + String id = st1.nextToken(); + + String defaultRoot = id + "." + PROP_DEFAULT; + String defaultClassId = policyStore.getString(defaultRoot + "." + + PROP_CLASS_ID); + + String constraintRoot = id + "." + PROP_CONSTRAINT; + String constraintClassId = + policyStore.getString(constraintRoot + "." + PROP_CLASS_ID); + + createProfilePolicy(setId, id, defaultClassId, + constraintClassId, false); + } + } + CMS.debug("BasicProfile: done init"); + } + + public IConfigStore getConfigStore() { + return mConfig; + } + + public Enumeration getInputNames() { + return mInputNames.elements(); + } + + public Enumeration getProfileUpdaterIds() { + return mUpdaterIds.elements(); // ordered list + } + + public IProfileUpdater getProfileUpdater(String name) { + return mUpdaters.get(name); + } + + public Enumeration getProfileOutputIds() { + return mOutputIds.elements(); // ordered list + } + + public IProfileOutput getProfileOutput(String name) { + return mOutputs.get(name); + } + + public Enumeration getProfileInputIds() { + return mInputIds.elements(); // ordered list + } + + public IProfileInput getProfileInput(String name) { + return mInputs.get(name); + } + + public void addInputName(String name) { + mInputNames.addElement(name); + } + + public IDescriptor getInputDescriptor(String name) { + return null; + } + + public String getInput(String name, Locale locale, IRequest request) + throws EProfileException { + return null; + } + + public void setInput(String name, Locale locale, IRequest request, + String value) throws EProfileException { + } + + public Enumeration getProfilePolicySetIds() { + return mPolicySet.keys(); + } + + public void deleteProfilePolicy(String setId, String policyId) + throws EProfileException { + Vector policies = mPolicySet.get(setId); + + if (policies == null) { + return; + } + try { + IConfigStore policySetSubStore = mConfig.getSubStore("policyset"); + IConfigStore policySubStore = policySetSubStore.getSubStore(setId); + + policySubStore.removeSubStore(policyId); + String list = policySubStore.getString(PROP_POLICY_LIST, null); + StringTokenizer st = new StringTokenizer(list, ","); + String newlist = ""; + StringBuffer sb = new StringBuffer(); + + while (st.hasMoreTokens()) { + String e = st.nextToken(); + + if (!e.equals(policyId)) { + sb.append(e); + sb.append(","); + } + } + newlist = sb.toString(); + if (!newlist.equals("")) { + newlist = newlist.substring(0, newlist.length() - 1); + policySubStore.putString(PROP_POLICY_LIST, newlist); + } else { + policySetSubStore.removeSubStore(setId); + } + + int size = policies.size(); + + for (int i = 0; i < size; i++) { + ProfilePolicy policy = policies.elementAt(i); + String id = policy.getId(); + + if (id.equals(policyId)) { + policies.removeElementAt(i); + if (size == 1) { + mPolicySet.remove(setId); + String setlist = policySetSubStore.getString(PROP_POLICY_LIST, null); + StringTokenizer st1 = new StringTokenizer(setlist, ","); + String newlist1 = ""; + + while (st1.hasMoreTokens()) { + String e = st1.nextToken(); + + if (!e.equals(setId)) + newlist1 = newlist1 + e + ","; + } + if (!newlist1.equals("")) + newlist1 = newlist1.substring(0, newlist1.length() - 1); + policySetSubStore.putString(PROP_POLICY_LIST, newlist1); + } + break; + } + } + + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (Exception e) { + } + + } + + public void deleteProfileInput(String inputId) throws EProfileException { + try { + mConfig.removeSubStore("input." + inputId); + String list = mConfig.getString("input." + PROP_INPUT_LIST, null); + StringTokenizer st = new StringTokenizer(list, ","); + String newlist = ""; + StringBuffer sb = new StringBuffer(); + + while (st.hasMoreTokens()) { + String e = st.nextToken(); + + if (!e.equals(inputId)) { + sb.append(e); + sb.append(","); + } + } + newlist = sb.toString(); + if (!newlist.equals("")) + newlist = newlist.substring(0, newlist.length() - 1); + + int size = mInputIds.size(); + + for (int i = 0; i < size; i++) { + String id = mInputIds.elementAt(i); + + if (id.equals(inputId)) { + mInputIds.removeElementAt(i); + break; + } + } + + mInputs.remove(inputId); + mConfig.putString("input." + PROP_INPUT_LIST, newlist); + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (Exception e) { + } + } + + public void deleteProfileOutput(String outputId) throws EProfileException { + try { + mConfig.removeSubStore("output." + outputId); + String list = mConfig.getString("output." + PROP_OUTPUT_LIST, null); + StringTokenizer st = new StringTokenizer(list, ","); + String newlist = ""; + StringBuffer sb = new StringBuffer(); + + while (st.hasMoreTokens()) { + String e = st.nextToken(); + + if (!e.equals(outputId)) { + sb.append(e); + sb.append(","); + } + } + newlist = sb.toString(); + if (!newlist.equals("")) + newlist = newlist.substring(0, newlist.length() - 1); + + int size = mOutputIds.size(); + + for (int i = 0; i < size; i++) { + String id = mOutputIds.elementAt(i); + + if (id.equals(outputId)) { + mOutputIds.removeElementAt(i); + break; + } + } + + mOutputs.remove(outputId); + mConfig.putString("output." + PROP_OUTPUT_LIST, newlist); + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (Exception e) { + } + } + + public IProfileOutput createProfileOutput(String id, String outputId, + NameValuePairs nvps) + throws EProfileException { + return createProfileOutput(id, outputId, nvps, true); + } + + public IProfileOutput createProfileOutput(String id, String outputId, + NameValuePairs nvps, boolean createConfig) + + throws EProfileException { + IConfigStore outputStore = mConfig.getSubStore("output"); + + IPluginInfo outputInfo = mRegistry.getPluginInfo("profileOutput", + outputId); + + if (outputInfo == null) { + CMS.debug("Cannot find " + outputId); + throw new EProfileException("Cannot find " + outputId); + } + String outputClass = outputInfo.getClassName(); + + CMS.debug("BasicProfile: loading output class " + outputClass); + IProfileOutput output = null; + + try { + output = (IProfileOutput) + Class.forName(outputClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug(e.toString()); + } + if (output == null) { + CMS.debug("BasicProfile: failed to create " + outputClass); + } else { + CMS.debug("BasicProfile: initing " + id + " output"); + + CMS.debug("BasicProfile: outputStore " + outputStore); + output.init(this, outputStore); + + mOutputs.put(id, output); + mOutputIds.addElement(id); + } + + if (createConfig) { + String list = null; + + try { + list = outputStore.getString(PROP_OUTPUT_LIST, null); + } catch (EBaseException e) { + } + if (list == null || list.equals("")) { + outputStore.putString(PROP_OUTPUT_LIST, id); + } else { + StringTokenizer st1 = new StringTokenizer(list, ","); + + while (st1.hasMoreTokens()) { + String pid = st1.nextToken(); + + if (pid.equals(id)) { + throw new EProfileException("Duplicate output id: " + id); + } + } + outputStore.putString(PROP_OUTPUT_LIST, list + "," + id); + } + String prefix = id + "."; + + outputStore.putString(prefix + "name", + outputInfo.getName(Locale.getDefault())); + outputStore.putString(prefix + "class_id", outputId); + + for (String name : nvps.keySet()) { + + outputStore.putString(prefix + "params." + name, nvps.get(name)); + try { + if (output != null) { + output.setConfig(name, nvps.get(name)); + } + } catch (EBaseException e) { + CMS.debug(e.toString()); + } + } + + try { + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (EBaseException e) { + CMS.debug(e.toString()); + } + } + + return output; + } + + public IProfileInput createProfileInput(String id, String inputId, + NameValuePairs nvps) + throws EProfileException { + return createProfileInput(id, inputId, nvps, true); + } + + public IProfileInput createProfileInput(String id, String inputId, + NameValuePairs nvps, boolean createConfig) + throws EProfileException { + IConfigStore inputStore = mConfig.getSubStore("input"); + + IPluginInfo inputInfo = mRegistry.getPluginInfo("profileInput", + inputId); + + if (inputInfo == null) { + CMS.debug("Cannot find " + inputId); + throw new EProfileException("Cannot find " + inputId); + } + String inputClass = inputInfo.getClassName(); + + CMS.debug("BasicProfile: loading input class " + inputClass); + IProfileInput input = null; + + try { + input = (IProfileInput) + Class.forName(inputClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug(e.toString()); + } + if (input == null) { + CMS.debug("BasicProfile: failed to create " + inputClass); + } else { + CMS.debug("BasicProfile: initing " + id + " input"); + + CMS.debug("BasicProfile: inputStore " + inputStore); + input.init(this, inputStore); + + mInputs.put(id, input); + mInputIds.addElement(id); + } + + if (createConfig) { + String list = null; + + try { + list = inputStore.getString(PROP_INPUT_LIST, null); + } catch (EBaseException e) { + } + if (list == null || list.equals("")) { + inputStore.putString(PROP_INPUT_LIST, id); + } else { + StringTokenizer st1 = new StringTokenizer(list, ","); + + while (st1.hasMoreTokens()) { + String pid = st1.nextToken(); + + if (pid.equals(id)) { + throw new EProfileException("Duplicate input id: " + id); + } + } + inputStore.putString(PROP_INPUT_LIST, list + "," + id); + } + String prefix = id + "."; + + inputStore.putString(prefix + "name", + inputInfo.getName(Locale.getDefault())); + inputStore.putString(prefix + "class_id", inputId); + + for (String name : nvps.keySet()) { + + inputStore.putString(prefix + "params." + name, nvps.get(name)); + try { + if (input != null) { + input.setConfig(name, nvps.get(name)); + } + } catch (EBaseException e) { + CMS.debug(e.toString()); + } + } + + try { + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + mConfig.commit(false); + } catch (EBaseException e) { + CMS.debug(e.toString()); + } + } + + return input; + } + + /** + * Creates a profile policy + */ + public IProfilePolicy createProfilePolicy(String setId, String id, + String defaultClassId, String constraintClassId) + throws EProfileException { + return createProfilePolicy(setId, id, defaultClassId, + constraintClassId, true); + } + + public IProfilePolicy createProfilePolicy(String setId, String id, + String defaultClassId, String constraintClassId, + boolean createConfig) + throws EProfileException { + + // String setId ex: policyset.set1 + // String id Id of policy : examples: p1,p2,p3 + // String defaultClassId : id of the default plugin ex: validityDefaultImpl + // String constraintClassId : if of the constraint plugin ex: basicConstraintsExtConstraintImpl + // boolean createConfig : true : being called from the console. false: being called from server startup code + + Vector policies = mPolicySet.get(setId); + + IConfigStore policyStore = mConfig.getSubStore("policyset." + setId); + if (policies == null) { + policies = new Vector(); + mPolicySet.put(setId, policies); + if (createConfig) { + // re-create policyset.list + StringBuffer setlist = new StringBuffer(); + Enumeration keys = mPolicySet.keys(); + + while (keys.hasMoreElements()) { + String k = keys.nextElement(); + + if (!(setlist.toString()).equals("")) { + setlist.append(","); + } + setlist.append(k); + } + mConfig.putString("policyset.list", setlist.toString()); + } + } else { + String ids = null; + + try { + ids = policyStore.getString(PROP_POLICY_LIST, ""); + } catch (Exception ee) { + } + + if (ids == null) { + CMS.debug("BasicProfile::createProfilePolicy() - ids is null!"); + return null; + } + + StringTokenizer st1 = new StringTokenizer(ids, ","); + int appearances = 0; + int appearancesTooMany = 0; + if (createConfig) + appearancesTooMany = 1; + else + appearancesTooMany = 2; + + while (st1.hasMoreTokens()) { + String pid = st1.nextToken(); + if (pid.equals(id)) { + appearances++; + if (appearances >= appearancesTooMany) { + CMS.debug("WARNING detected duplicate policy id: " + id + " Profile: " + mId); + if (createConfig) { + throw new EProfileException("Duplicate policy id: " + id); + } + } + } + } + } + + // Now make sure we aren't trying to add a policy that already exists + IConfigStore policySetStore = mConfig.getSubStore("policyset"); + String setlist = null; + try { + setlist = policySetStore.getString("list", ""); + } catch (Exception e) { + } + StringTokenizer st = new StringTokenizer(setlist, ","); + + int matches = 0; + while (st.hasMoreTokens()) { + String sId = st.nextToken(); + + //Only search the setId set. Ex: encryptionCertSet + if (!sId.equals(setId)) { + continue; + } + IConfigStore pStore = policySetStore.getSubStore(sId); + + String list = null; + try { + list = pStore.getString(PROP_POLICY_LIST, ""); + } catch (Exception e) { + CMS.debug("WARNING, can't get policy id list!"); + } + + StringTokenizer st1 = new StringTokenizer(list, ","); + + while (st1.hasMoreTokens()) { + String curId = st1.nextToken(); + + String defaultRoot = curId + "." + PROP_DEFAULT; + String curDefaultClassId = null; + try { + curDefaultClassId = pStore.getString(defaultRoot + "." + + PROP_CLASS_ID); + } catch (Exception e) { + CMS.debug("WARNING, can't get default plugin id!"); + } + + //Disallow duplicate defaults with the following exceptions: + // noDefaultImpl, genericExtDefaultImpl + + if ((curDefaultClassId.equals(defaultClassId) && + !curDefaultClassId.equals(PROP_NO_DEFAULT) && + !curDefaultClassId.equals(PROP_GENERIC_EXT_DEFAULT))) { + + matches++; + if (createConfig) { + if (matches == 1) { + CMS.debug("WARNING attempt to add duplicate Policy " + + defaultClassId + ":" + constraintClassId + + " Contact System Administrator."); + throw new EProfileException("Attempt to add duplicate Policy : " + + defaultClassId + ":" + constraintClassId); + } + } else { + if (matches > 1) { + CMS.debug("WARNING attempt to add duplicate Policy " + + defaultClassId + ":" + constraintClassId + + " Contact System Administrator."); + } + } + } + } + } + + String defaultRoot = id + "." + PROP_DEFAULT; + String constraintRoot = id + "." + PROP_CONSTRAINT; + IPluginInfo defInfo = mRegistry.getPluginInfo("defaultPolicy", + defaultClassId); + + if (defInfo == null) { + CMS.debug("BasicProfile: Cannot find " + defaultClassId); + throw new EProfileException("Cannot find " + defaultClassId); + } + String defaultClass = defInfo.getClassName(); + + CMS.debug("BasicProfile: loading default class " + defaultClass); + IPolicyDefault def = null; + + try { + def = (IPolicyDefault) + Class.forName(defaultClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: default policy " + + defaultClass + " " + e.toString()); + } + if (def == null) { + CMS.debug("BasicProfile: failed to create " + defaultClass); + } else { + IConfigStore defStore = null; + + defStore = policyStore.getSubStore(defaultRoot); + def.init(this, defStore); + } + + IPluginInfo conInfo = mRegistry.getPluginInfo("constraintPolicy", + constraintClassId); + String constraintClass = conInfo.getClassName(); + IPolicyConstraint constraint = null; + + try { + constraint = (IPolicyConstraint) + Class.forName(constraintClass).newInstance(); + } catch (Exception e) { + // throw Exception + CMS.debug("BasicProfile: constraint policy " + + constraintClass + " " + e.toString()); + } + ProfilePolicy policy = null; + if (constraint == null) { + CMS.debug("BasicProfile: failed to create " + constraintClass); + } else { + IConfigStore conStore = null; + + conStore = policyStore.getSubStore(constraintRoot); + constraint.init(this, conStore); + policy = new ProfilePolicy(id, def, constraint); + policies.addElement(policy); + } + + if (createConfig) { + String list = null; + + try { + list = policyStore.getString(PROP_POLICY_LIST, null); + } catch (EBaseException e) { + } + if (list == null || list.equals("")) { + policyStore.putString(PROP_POLICY_LIST, id); + } else { + policyStore.putString(PROP_POLICY_LIST, list + "," + id); + } + policyStore.putString(id + ".default.name", + defInfo.getName(Locale.getDefault())); + policyStore.putString(id + ".default.class_id", + defaultClassId); + policyStore.putString(id + ".constraint.name", + conInfo.getName(Locale.getDefault())); + policyStore.putString(id + ".constraint.class_id", + constraintClassId); + try { + mConfig.putString("lastModified", + Long.toString(CMS.getCurrentDate().getTime())); + policyStore.commit(false); + } catch (EBaseException e) { + CMS.debug("BasicProfile: commiting config store " + + e.toString()); + } + } + + return policy; + } + + public IProfilePolicy getProfilePolicy(String setId, String id) { + Vector policies = mPolicySet.get(setId); + + if (policies == null) + return null; + + for (int i = 0; i < policies.size(); i++) { + ProfilePolicy policy = policies.elementAt(i); + + if (policy.getId().equals(id)) { + return policy; + } + } + return null; + } + + public boolean isVisible() { + try { + return mConfig.getBoolean(PROP_VISIBLE, false); + } catch (EBaseException e) { + return false; + } + } + + public void setVisible(boolean v) { + mConfig.putBoolean(PROP_VISIBLE, v); + } + + /** + * Returns the profile name. + */ + public String getName(Locale locale) { + try { + return mConfig.getString(PROP_NAME, ""); + } catch (EBaseException e) { + return ""; + } + } + + public void setName(Locale locale, String name) { + mConfig.putString(PROP_NAME, name); + } + + public abstract IProfileContext createContext(); + + /** + * Creates request. + */ + public abstract IRequest[] createRequests(IProfileContext ctx, Locale locale) + throws EProfileException; + + /** + * Returns the profile description. + */ + public String getDescription(Locale locale) { + try { + return mConfig.getString(PROP_DESC, ""); + } catch (EBaseException e) { + return ""; + } + } + + public void setDescription(Locale locale, String desc) { + mConfig.putString(PROP_DESC, desc); + } + + public void populateInput(IProfileContext ctx, IRequest request) + throws EProfileException { + Enumeration ids = getProfileInputIds(); + + while (ids.hasMoreElements()) { + String id = ids.nextElement(); + IProfileInput input = getProfileInput(id); + + input.populate(ctx, request); + } + } + + public Vector getPolicies(String setId) { + Vector policies = mPolicySet.get(setId); + + return policies; + } + + /** + * Passes the request to the set of default policies that + * populate the profile information against the profile. + */ + public void populate(IRequest request) + throws EProfileException { + String setId = getPolicySetId(request); + Vector policies = getPolicies(setId); + CMS.debug("BasicProfile: populate() policy setid =" + setId); + + for (int i = 0; i < policies.size(); i++) { + ProfilePolicy policy = policies.elementAt(i); + + policy.getDefault().populate(request); + } + } + + /** + * Passes the request to the set of constraint policies + * that validate the request against the profile. + */ + public void validate(IRequest request) + throws ERejectException { + String setId = getPolicySetId(request); + CMS.debug("BasicProfile: validate start on setId=" + setId); + Vector policies = getPolicies(setId); + + for (int i = 0; i < policies.size(); i++) { + ProfilePolicy policy = policies.elementAt(i); + + policy.getConstraint().validate(request); + } + CMS.debug("BasicProfile: change to pending state"); + request.setRequestStatus(RequestStatus.PENDING); + CMS.debug("BasicProfile: validate end"); + } + + public Enumeration getProfilePolicies(String setId) { + Vector policies = mPolicySet.get(setId); + + if (policies == null) + return null; + return policies.elements(); + } + + public Enumeration getProfilePolicyIds(String setId) { + Vector policies = mPolicySet.get(setId); + + if (policies == null) + return null; + + Vector v = new Vector(); + + for (int i = 0; i < policies.size(); i++) { + ProfilePolicy policy = policies.elementAt(i); + + v.addElement(policy.getId()); + } + return v.elements(); + } + + public void execute(IRequest request) + throws EProfileException { + } + + /** + * Signed Audit Log + * + * This method is inherited by all extended "BasicProfile"s, + * and is called to store messages to the signed audit log. + *

+ * + * @param msg signed audit log message + */ + protected void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + /** + * Signed Audit Log Subject ID + * + * This method is inherited by all extended "BasicProfile"s, + * and is called to obtain the "SubjectID" for + * a signed audit log message. + *

+ * + * @return id string containing the signed audit log message SubjectID + */ + protected String auditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } +} diff --git a/base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java new file mode 100644 index 000000000..b95b22339 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java @@ -0,0 +1,107 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfileEx; +import com.netscape.certsrv.profile.IProfilePolicy; + +/** + * This class implements a Certificate Manager enrollment + * profile for CA Certificates. + * + * @version $Revision$, $Date$ + */ +public class CACertCAEnrollProfile extends CAEnrollProfile + implements IProfileEx { + + /** + * Called after initialization. It populates default + * policies, inputs, and outputs. + */ + public void populate() throws EBaseException { + // create inputs + NameValuePairs inputParams1 = new NameValuePairs(); + createProfileInput("i1", "certReqInputImpl", inputParams1); + NameValuePairs inputParams2 = new NameValuePairs(); + createProfileInput("i2", "submitterInfoInputImpl", inputParams2); + + // create outputs + NameValuePairs outputParams1 = new NameValuePairs(); + createProfileOutput("o1", "certOutputImpl", outputParams1); + + // create policies + createProfilePolicy("set1", "p1", + "userSubjectNameDefaultImpl", "noConstraintImpl"); + + IProfilePolicy policy2 = + createProfilePolicy("set1", "p2", + "validityDefaultImpl", "noConstraintImpl"); + IPolicyDefault def2 = policy2.getDefault(); + IConfigStore defConfig2 = def2.getConfigStore(); + defConfig2.putString("params.range", "180"); + defConfig2.putString("params.startTime", "0"); + + IProfilePolicy policy3 = + createProfilePolicy("set1", "p3", + "userKeyDefaultImpl", "noConstraintImpl"); + IPolicyDefault def3 = policy3.getDefault(); + IConfigStore defConfig3 = def3.getConfigStore(); + defConfig3.putString("params.keyType", "RSA"); + defConfig3.putString("params.keyMinLength", "512"); + defConfig3.putString("params.keyMaxLength", "4096"); + + IProfilePolicy policy4 = + createProfilePolicy("set1", "p4", + "signingAlgDefaultImpl", "noConstraintImpl"); + IPolicyDefault def4 = policy4.getDefault(); + IConfigStore defConfig4 = def4.getConfigStore(); + defConfig4.putString("params.signingAlg", "-"); + defConfig4.putString("params.signingAlgsAllowed", + "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); + + // extensions + IProfilePolicy policy5 = + createProfilePolicy("set1", "p5", + "keyUsageExtDefaultImpl", "noConstraintImpl"); + IPolicyDefault def5 = policy5.getDefault(); + IConfigStore defConfig5 = def5.getConfigStore(); + defConfig5.putString("params.keyUsageCritical", "true"); + defConfig5.putString("params.keyUsageCrlSign", "true"); + defConfig5.putString("params.keyUsageDataEncipherment", "false"); + defConfig5.putString("params.keyUsageDecipherOnly", "false"); + defConfig5.putString("params.keyUsageDigitalSignature", "true"); + defConfig5.putString("params.keyUsageEncipherOnly", "false"); + defConfig5.putString("params.keyUsageKeyAgreement", "false"); + defConfig5.putString("params.keyUsageKeyCertSign", "true"); + defConfig5.putString("params.keyUsageKeyEncipherment", "false"); + defConfig5.putString("params.keyUsageNonRepudiation", "true"); + + IProfilePolicy policy6 = + createProfilePolicy("set1", "p6", + "basicConstraintsExtDefaultImpl", "noConstraintImpl"); + IPolicyDefault def6 = policy6.getDefault(); + IConfigStore defConfig6 = def6.getConfigStore(); + defConfig6.putString("params.basicConstraintsPathLen", "-1"); + defConfig6.putString("params.basicConstraintsIsCA", "true"); + defConfig6.putString("params.basicConstraintsPathLen", "-1"); + } +} diff --git a/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java new file mode 100644 index 000000000..c03f90a4b --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -0,0 +1,242 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import java.util.Enumeration; + +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.ca.ICAService; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.connector.IConnector; +import com.netscape.certsrv.logging.AuditFormat; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IProfileUpdater; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.RequestStatus; + +/** + * This class implements a Certificate Manager enrollment + * profile. + * + * @version $Revision$, $Date$ + */ +public class CAEnrollProfile extends EnrollProfile { + + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + + public CAEnrollProfile() { + super(); + } + + public IAuthority getAuthority() { + IAuthority authority = (IAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + + if (authority == null) + return null; + return authority; + } + + public X500Name getIssuerName() { + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + X500Name issuerName = ca.getX500Name(); + + return issuerName; + } + + public void execute(IRequest request) + throws EProfileException { + + long startTime = CMS.getCurrentDate().getTime(); + + if (!isEnable()) { + CMS.debug("CAEnrollProfile: Profile Not Enabled"); + throw new EProfileException("Profile Not Enabled"); + } + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(request); + String auditArchiveID = ILogger.UNIDENTIFIED; + + String id = request.getRequestId().toString(); + if (id != null) { + auditArchiveID = id.trim(); + } + + CMS.debug("CAEnrollProfile: execute reqId=" + + request.getRequestId().toString()); + ICertificateAuthority ca = (ICertificateAuthority) getAuthority(); + ICAService caService = (ICAService) ca.getCAService(); + + if (caService == null) { + throw new EProfileException("No CA Service"); + } + + // if PKI Archive Option present, send this request + // to DRM + byte optionsData[] = request.getExtDataInByteArray(REQUEST_ARCHIVE_OPTIONS); + + // do not archive keys for renewal requests + if ((optionsData != null) && (!request.getRequestType().equals(IRequest.RENEWAL_REQUEST))) { + PKIArchiveOptions options = (PKIArchiveOptions) + toPKIArchiveOptions(optionsData); + + if (options != null) { + CMS.debug("CAEnrollProfile: execute found " + + "PKIArchiveOptions"); + try { + IConnector kraConnector = caService.getKRAConnector(); + + if (kraConnector == null) { + CMS.debug("CAEnrollProfile: KRA connector " + + "not configured"); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + + } else { + CMS.debug("CAEnrollProfile: execute send request"); + kraConnector.send(request); + + // check response + if (!request.isSuccess()) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new ERejectException( + request.getError(getLocale(request))); + } + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + } + } catch (Exception e) { + + if (e instanceof ERejectException) { + throw (ERejectException) e; + } + CMS.debug("CAEnrollProfile: " + e.toString()); + CMS.debug(e); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EProfileException(e.toString()); + } + } + } + + // process certificate issuance + X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO); + X509CertImpl theCert = null; + + // #615460 - added audit log (transaction) + SessionContext sc = SessionContext.getExistingContext(); + sc.put("profileId", getId()); + String setId = request.getExtDataInString("profileSetId"); + if (setId != null) { + sc.put("profileSetId", setId); + } + + try { + theCert = caService.issueX509Cert(info, getId() /* profileId */, + id /* requestId */); + } catch (EBaseException e) { + CMS.debug(e.toString()); + + throw new EProfileException(e.toString()); + } + request.setExtData(REQUEST_ISSUED_CERT, theCert); + + long endTime = CMS.getCurrentDate().getTime(); + + String initiative = AuditFormat.FROMAGENT + + " userID: " + + (String) sc.get(SessionContext.USER_ID); + String authMgr = (String) sc.get(SessionContext.AUTH_MANAGER_ID); + + ILogger logger = CMS.getLogger(); + if (logger != null) { + logger.log(ILogger.EV_AUDIT, + ILogger.S_OTHER, AuditFormat.LEVEL, AuditFormat.FORMAT, + new Object[] { + request.getRequestType(), + request.getRequestId(), + initiative, + authMgr, + "completed", + theCert.getSubjectDN(), + "cert issued serial number: 0x" + + theCert.getSerialNumber().toString(16) + + " time: " + (endTime - startTime) } + ); + } + + request.setRequestStatus(RequestStatus.COMPLETE); + + // notifies updater plugins + Enumeration updaterIds = getProfileUpdaterIds(); + while (updaterIds.hasMoreElements()) { + String updaterId = updaterIds.nextElement(); + IProfileUpdater updater = getProfileUpdater(updaterId); + updater.update(request, RequestStatus.COMPLETE); + } + + // set value for predicate value - checking in getRule + if (CMS.isEncryptionCert(theCert)) + request.setExtData("isEncryptionCert", "true"); + else + request.setExtData("isEncryptionCert", "false"); + } +} diff --git a/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java new file mode 100644 index 000000000..d574f0f94 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -0,0 +1,1468 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.util.Date; +import java.util.Enumeration; +import java.util.Locale; +import java.util.StringTokenizer; + +import netscape.security.pkcs.PKCS10; +import netscape.security.pkcs.PKCS10Attribute; +import netscape.security.pkcs.PKCS10Attributes; +import netscape.security.pkcs.PKCS9Attribute; +import netscape.security.util.DerInputStream; +import netscape.security.util.DerOutputStream; +import netscape.security.util.DerValue; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateAlgorithmId; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateIssuerName; +import netscape.security.x509.CertificateSerialNumber; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.Extension; +import netscape.security.x509.Extensions; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509Key; + +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.asn1.ASN1Util; +import org.mozilla.jss.asn1.ASN1Value; +import org.mozilla.jss.asn1.INTEGER; +import org.mozilla.jss.asn1.InvalidBERException; +import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; +import org.mozilla.jss.asn1.OCTET_STRING; +import org.mozilla.jss.asn1.SEQUENCE; +import org.mozilla.jss.asn1.SET; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.pkcs10.CertificationRequest; +import org.mozilla.jss.pkcs10.CertificationRequestInfo; +import org.mozilla.jss.pkix.cmc.LraPopWitness; +import org.mozilla.jss.pkix.cmc.OtherMsg; +import org.mozilla.jss.pkix.cmc.PKIData; +import org.mozilla.jss.pkix.cmc.TaggedAttribute; +import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest; +import org.mozilla.jss.pkix.cmc.TaggedRequest; +import org.mozilla.jss.pkix.crmf.CertReqMsg; +import org.mozilla.jss.pkix.crmf.CertRequest; +import org.mozilla.jss.pkix.crmf.CertTemplate; +import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; +import org.mozilla.jss.pkix.crmf.ProofOfPossession; +import org.mozilla.jss.pkix.primitive.AVA; +import org.mozilla.jss.pkix.primitive.Attribute; +import org.mozilla.jss.pkix.primitive.Name; +import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.authentication.ISharedToken; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.EPropertyNotFound; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.profile.EDeferException; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.IRequestQueue; +import com.netscape.cmsutil.util.HMACDigest; + +/** + * This class implements a generic enrollment profile. + * + * @version $Revision$, $Date$ + */ +public abstract class EnrollProfile extends BasicProfile + implements IEnrollProfile { + + private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST = + "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; + private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION = + "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; + + private PKIData mCMCData; + + public EnrollProfile() { + super(); + } + + public abstract IAuthority getAuthority(); + + public IRequestQueue getRequestQueue() { + IAuthority authority = getAuthority(); + + return authority.getRequestQueue(); + } + + public IProfileContext createContext() { + return new EnrollProfileContext(); + } + + /** + * Creates request. + */ + public IRequest[] createRequests(IProfileContext context, Locale locale) + throws EProfileException { + EnrollProfileContext ctx = (EnrollProfileContext) context; + + // determine how many requests should be created + String cert_request_type = ctx.get(CTX_CERT_REQUEST_TYPE); + String cert_request = ctx.get(CTX_CERT_REQUEST); + String is_renewal = ctx.get(CTX_RENEWAL); + Integer renewal_seq_num = 0; + + /* cert_request_type can be null for the case of CMC */ + if (cert_request_type == null) { + CMS.debug("EnrollProfile: request type is null"); + } + + int num_requests = 1; // default to 1 request + + if (cert_request_type != null && cert_request_type.startsWith("pkcs10")) { + // catch for invalid request + parsePKCS10(locale, cert_request); + } + if (cert_request_type != null && cert_request_type.startsWith("crmf")) { + CertReqMsg msgs[] = parseCRMF(locale, cert_request); + + num_requests = msgs.length; + } + if (cert_request_type != null && cert_request_type.startsWith("cmc")) { + // catch for invalid request + TaggedRequest[] msgs = parseCMC(locale, cert_request); + if (msgs == null) + return null; + else + num_requests = msgs.length; + } + + // only 1 request for renewal + if ((is_renewal != null) && (is_renewal.equals("true"))) { + num_requests = 1; + String renewal_seq_num_str = ctx.get(CTX_RENEWAL_SEQ_NUM); + if (renewal_seq_num_str != null) { + renewal_seq_num = Integer.parseInt(renewal_seq_num_str); + } else { + renewal_seq_num = 0; + } + } + + // populate requests with appropriate content + IRequest result[] = new IRequest[num_requests]; + + for (int i = 0; i < num_requests; i++) { + result[i] = createEnrollmentRequest(); + if ((is_renewal != null) && (is_renewal.equals("true"))) { + result[i].setExtData(REQUEST_SEQ_NUM, renewal_seq_num); + } else { + result[i].setExtData(REQUEST_SEQ_NUM, Integer.valueOf(i)); + } + if (locale != null) { + result[i].setExtData(REQUEST_LOCALE, locale.getLanguage()); + } + } + return result; + } + + public abstract X500Name getIssuerName(); + + public void setDefaultCertInfo(IRequest req) throws EProfileException { + // create an empty certificate template so that + // default plugins that store stuff + X509CertInfo info = new X509CertInfo(); + + // retrieve issuer name + X500Name issuerName = getIssuerName(); + + byte[] dummykey = new byte[] { + 48, 92, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 1, 5, + 0, 3, 75, 0, 48, 72, 2, 65, 0, -65, 121, -119, -59, 105, 66, + -122, -78, -30, -64, 63, -47, 44, -48, -104, 103, -47, -108, + 42, -38, 46, -8, 32, 49, -29, -26, -112, -29, -86, 71, 24, + -104, 78, -31, -75, -128, 90, -92, -34, -51, -125, -13, 80, 101, + -78, 39, -119, -38, 117, 28, 67, -19, -71, -124, -85, 105, -53, + -103, -59, -67, -38, -83, 118, 65, 2, 3, 1, 0, 1 }; + // default values into x509 certinfo. This thing is + // not serializable by default + try { + info.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); + info.set(X509CertInfo.SERIAL_NUMBER, + new CertificateSerialNumber(new BigInteger("0"))); + info.set(X509CertInfo.ISSUER, + new CertificateIssuerName(issuerName)); + info.set(X509CertInfo.KEY, + new CertificateX509Key(X509Key.parse(new DerValue(dummykey)))); + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(issuerName)); + info.set(X509CertInfo.VALIDITY, + new CertificateValidity(new Date(), new Date())); + info.set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId( + AlgorithmId.getAlgorithmId("MD5withRSA"))); + + // add default extension container + info.set(X509CertInfo.EXTENSIONS, + new CertificateExtensions()); + } catch (Exception e) { + // throw exception - add key to template + CMS.debug("EnrollProfile: Building X509CertInfo - " + e.toString()); + throw new EProfileException(e.toString()); + } + req.setExtData(REQUEST_CERTINFO, info); + } + + public IRequest createEnrollmentRequest() + throws EProfileException { + IRequest req = null; + + try { + req = getRequestQueue().newRequest("enrollment"); + + setDefaultCertInfo(req); + + // put the certificate info into request + req.setExtData(REQUEST_EXTENSIONS, + new CertificateExtensions()); + + CMS.debug("EnrollProfile: createRequest " + + req.getRequestId().toString()); + } catch (EBaseException e) { + // raise exception + CMS.debug("EnrollProfile: create new enroll request " + + e.toString()); + } + + return req; + } + + public abstract void execute(IRequest request) + throws EProfileException; + + /** + * Perform simple policy set assignment. + */ + public String getPolicySetId(IRequest req) { + Integer seq = req.getExtDataInInteger(REQUEST_SEQ_NUM); + int seq_no = seq.intValue(); // start from 0 + + int count = 0; + Enumeration setIds = getProfilePolicySetIds(); + + while (setIds.hasMoreElements()) { + String setId = (String) setIds.nextElement(); + + if (count == seq_no) { + return setId; + } + count++; + } + return null; + } + + public String getRequestorDN(IRequest request) { + X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO); + + try { + CertificateSubjectName sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + + return sn.toString(); + } catch (Exception e) { + CMS.debug("EnrollProfile: getRequestDN " + e.toString()); + } + return null; + } + + /** + * This method is called after the user submits the + * request from the end-entity page. + */ + public void submit(IAuthToken token, IRequest request) + throws EDeferException, EProfileException { + // Request Submission Logic: + // + // if (Authentication Failed) { + // return Error + // } else { + // if (No Auth Token) { + // queue request + // } else { + // process request + // } + // } + + IAuthority authority = (IAuthority) + getAuthority(); + IRequestQueue queue = authority.getRequestQueue(); + + // this profile queues request that is authenticated + // by NoAuth + try { + queue.updateRequest(request); + } catch (EBaseException e) { + // save request to disk + CMS.debug("EnrollProfile: Update request " + e.toString()); + } + + if (token == null) { + CMS.debug("EnrollProfile: auth token is null"); + CMS.debug("EnrollProfile: validating request"); + validate(request); + try { + queue.updateRequest(request); + } catch (EBaseException e) { + CMS.debug("EnrollProfile: Update request (after validation) " + e.toString()); + } + + throw new EDeferException("defer request"); + } else { + // this profile executes request that is authenticated + // by non NoAuth + CMS.debug("EnrollProfile: auth token is not null"); + validate(request); + execute(request); + } + } + + public TaggedRequest[] parseCMC(Locale locale, String certreq) + throws EProfileException { + /* cert request must not be null */ + if (certreq == null) { + CMS.debug("EnrollProfile: parseCMC() certreq null"); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + CMS.debug("EnrollProfile: Start parseCMC(): " + certreq); + + TaggedRequest msgs[] = null; + + String creq = normalizeCertReq(certreq); + try { + byte data[] = CMS.AtoB(creq); + ByteArrayInputStream cmcBlobIn = + new ByteArrayInputStream(data); + + org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) + org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode(cmcBlobIn); + org.mozilla.jss.pkix.cms.SignedData cmcFullReq = + (org.mozilla.jss.pkix.cms.SignedData) cmcReq.getInterpretedContent(); + org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); + OCTET_STRING content = ci.getContent(); + + ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); + PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s); + + mCMCData = pkiData; + //PKIData pkiData = (PKIData) + // (new PKIData.Template()).decode(cmcBlobIn); + SEQUENCE controlSeq = pkiData.getControlSequence(); + int numcontrols = controlSeq.size(); + SEQUENCE reqSeq = pkiData.getReqSequence(); + byte randomSeed[] = null; + SessionContext context = SessionContext.getContext(); + if (!context.containsKey("numOfControls")) { + if (numcontrols > 0) { + context.put("numOfControls", Integer.valueOf(numcontrols)); + TaggedAttribute[] attributes = new TaggedAttribute[numcontrols]; + for (int i = 0; i < numcontrols; i++) { + attributes[i] = (TaggedAttribute) controlSeq.elementAt(i); + OBJECT_IDENTIFIER oid = attributes[i].getType(); + if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identityProof)) { + boolean valid = verifyIdentityProof(attributes[i], + reqSeq); + if (!valid) { + SEQUENCE bpids = getRequestBpids(reqSeq); + context.put("identityProof", bpids); + return null; + } + } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) { + SET vals = attributes[i].getValues(); + OCTET_STRING ostr = + (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); + randomSeed = ostr.toByteArray(); + } else { + context.put(attributes[i].getType(), attributes[i]); + } + } + } + } + + SEQUENCE otherMsgSeq = pkiData.getOtherMsgSequence(); + int numOtherMsgs = otherMsgSeq.size(); + if (!context.containsKey("numOfOtherMsgs")) { + context.put("numOfOtherMsgs", Integer.valueOf(numOtherMsgs)); + for (int i = 0; i < numOtherMsgs; i++) { + OtherMsg omsg = (OtherMsg) (ASN1Util.decode(OtherMsg.getTemplate(), + ASN1Util.encode(otherMsgSeq.elementAt(i)))); + context.put("otherMsg" + i, omsg); + } + } + + int nummsgs = reqSeq.size(); + if (nummsgs > 0) { + msgs = new TaggedRequest[reqSeq.size()]; + SEQUENCE bpids = new SEQUENCE(); + boolean valid = true; + for (int i = 0; i < nummsgs; i++) { + msgs[i] = (TaggedRequest) reqSeq.elementAt(i); + if (!context.containsKey("POPLinkWitness")) { + if (randomSeed != null) { + valid = verifyPOPLinkWitness(randomSeed, msgs[i], bpids); + if (!valid || bpids.size() > 0) { + context.put("POPLinkWitness", bpids); + return null; + } + } + } + } + } else + return null; + + return msgs; + } catch (Exception e) { + CMS.debug("EnrollProfile: parseCMC " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + private boolean verifyPOPLinkWitness(byte[] randomSeed, TaggedRequest req, + SEQUENCE bpids) { + ISharedToken tokenClass = null; + boolean sharedSecretFound = true; + String name = null; + try { + name = CMS.getConfigStore().getString("cmc.sharedSecret.class"); + } catch (EPropertyNotFound e) { + CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); + sharedSecretFound = false; + } catch (EBaseException e) { + CMS.debug("EnrollProfile: Failed to find the token class in the configuration file."); + sharedSecretFound = false; + } + + try { + tokenClass = (ISharedToken) Class.forName(name).newInstance(); + } catch (ClassNotFoundException e) { + CMS.debug("EnrollProfile: Failed to find class name: " + name); + sharedSecretFound = false; + } catch (InstantiationException e) { + CMS.debug("EnrollProfile: Failed to instantiate class: " + name); + sharedSecretFound = false; + } catch (IllegalAccessException e) { + CMS.debug("EnrollProfile: Illegal access: " + name); + sharedSecretFound = false; + } + + INTEGER reqId = null; + byte[] bv = null; + String sharedSecret = null; + if (tokenClass != null) + sharedSecret = tokenClass.getSharedToken(mCMCData); + if (req.getType().equals(TaggedRequest.PKCS10)) { + TaggedCertificationRequest tcr = req.getTcr(); + if (!sharedSecretFound) { + bpids.addElement(tcr.getBodyPartID()); + return false; + } else { + CertificationRequest creq = tcr.getCertificationRequest(); + CertificationRequestInfo cinfo = creq.getInfo(); + SET attrs = cinfo.getAttributes(); + for (int j = 0; j < attrs.size(); j++) { + Attribute pkcs10Attr = (Attribute) attrs.elementAt(j); + if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { + SET witnessVal = pkcs10Attr.getValues(); + if (witnessVal.size() > 0) { + try { + OCTET_STRING str = + (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), + ASN1Util.encode(witnessVal.elementAt(0)))); + bv = str.toByteArray(); + return verifyDigest(sharedSecret.getBytes(), + randomSeed, bv); + } catch (InvalidBERException ex) { + return false; + } + } + } + } + + return false; + } + } else if (req.getType().equals(TaggedRequest.CRMF)) { + CertReqMsg crm = req.getCrm(); + CertRequest certReq = crm.getCertReq(); + reqId = certReq.getCertReqId(); + if (!sharedSecretFound) { + bpids.addElement(reqId); + return false; + } else { + for (int i = 0; i < certReq.numControls(); i++) { + AVA ava = certReq.controlAt(i); + + if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { + ASN1Value value = ava.getValue(); + ByteArrayInputStream bis = new ByteArrayInputStream( + ASN1Util.encode(value)); + OCTET_STRING ostr = null; + try { + ostr = (OCTET_STRING) + (new OCTET_STRING.Template()).decode(bis); + bv = ostr.toByteArray(); + } catch (Exception e) { + bpids.addElement(reqId); + return false; + } + + boolean valid = verifyDigest(sharedSecret.getBytes(), + randomSeed, bv); + if (!valid) { + bpids.addElement(reqId); + return valid; + } + } + } + } + } + + return true; + } + + private boolean verifyDigest(byte[] sharedSecret, byte[] text, byte[] bv) { + byte[] key = null; + try { + MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); + key = SHA1Digest.digest(sharedSecret); + } catch (NoSuchAlgorithmException ex) { + CMS.debug("EnrollProfile: No such algorithm for this message digest."); + return false; + } + + byte[] finalDigest = null; + try { + MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); + HMACDigest hmacDigest = new HMACDigest(SHA1Digest, key); + hmacDigest.update(text); + finalDigest = hmacDigest.digest(); + } catch (NoSuchAlgorithmException ex) { + CMS.debug("EnrollProfile: No such algorithm for this message digest."); + return false; + } + + if (finalDigest.length != bv.length) { + CMS.debug("EnrollProfile: The length of two HMAC digest are not the same."); + return false; + } + + for (int j = 0; j < bv.length; j++) { + if (bv[j] != finalDigest[j]) { + CMS.debug("EnrollProfile: The content of two HMAC digest are not the same."); + return false; + } + } + + CMS.debug("EnrollProfile: The content of two HMAC digest are the same."); + return true; + } + + private SEQUENCE getRequestBpids(SEQUENCE reqSeq) { + SEQUENCE bpids = new SEQUENCE(); + for (int i = 0; i < reqSeq.size(); i++) { + TaggedRequest req = (TaggedRequest) reqSeq.elementAt(i); + if (req.getType().equals(TaggedRequest.PKCS10)) { + TaggedCertificationRequest tcr = req.getTcr(); + bpids.addElement(tcr.getBodyPartID()); + } else if (req.getType().equals(TaggedRequest.CRMF)) { + CertReqMsg crm = req.getCrm(); + CertRequest request = crm.getCertReq(); + bpids.addElement(request.getCertReqId()); + } + } + + return bpids; + } + + private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) { + SET vals = attr.getValues(); + if (vals.size() < 1) + return false; + String name = null; + try { + name = CMS.getConfigStore().getString("cmc.sharedSecret.class"); + } catch (EPropertyNotFound e) { + } catch (EBaseException e) { + } + + if (name == null) + return false; + else { + ISharedToken tokenClass = null; + try { + tokenClass = (ISharedToken) Class.forName(name).newInstance(); + } catch (ClassNotFoundException e) { + CMS.debug("EnrollProfile: Failed to find class name: " + name); + return false; + } catch (InstantiationException e) { + CMS.debug("EnrollProfile: Failed to instantiate class: " + name); + return false; + } catch (IllegalAccessException e) { + CMS.debug("EnrollProfile: Illegal access: " + name); + return false; + } + + String token = tokenClass.getSharedToken(mCMCData); + OCTET_STRING ostr = null; + try { + ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); + } catch (InvalidBERException e) { + CMS.debug("EnrollProfile: Failed to decode the byte value."); + return false; + } + byte[] b = ostr.toByteArray(); + byte[] text = ASN1Util.encode(reqSeq); + + return verifyDigest(token.getBytes(), text, b); + } + } + + public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info, + IRequest req) + throws EProfileException { + TaggedRequest.Type type = tagreq.getType(); + + if (type.equals(TaggedRequest.PKCS10)) { + try { + TaggedCertificationRequest tcr = tagreq.getTcr(); + CertificationRequest p10 = tcr.getCertificationRequest(); + ByteArrayOutputStream ostream = new ByteArrayOutputStream(); + + p10.encode(ostream); + PKCS10 pkcs10 = new PKCS10(ostream.toByteArray()); + + req.setExtData("bodyPartId", tcr.getBodyPartID()); + fillPKCS10(locale, pkcs10, info, req); + } catch (Exception e) { + CMS.debug("EnrollProfile: fillTaggedRequest " + + e.toString()); + } + } else if (type.equals(TaggedRequest.CRMF)) { + CertReqMsg crm = tagreq.getCrm(); + SessionContext context = SessionContext.getContext(); + Integer nums = (Integer) (context.get("numOfControls")); + + // check if the LRA POP Witness Control attribute exists + if (nums != null && nums.intValue() > 0) { + TaggedAttribute attr = + (TaggedAttribute) (context.get(OBJECT_IDENTIFIER.id_cmc_lraPOPWitness)); + if (attr != null) { + parseLRAPopWitness(locale, crm, attr); + } else { + CMS.debug("EnrollProfile: verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); + verifyPOP(locale, crm); + } + } else { + CMS.debug("EnrollProfile: verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request."); + verifyPOP(locale, crm); + } + + fillCertReqMsg(locale, crm, info, req); + } else { + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + private void parseLRAPopWitness(Locale locale, CertReqMsg crm, + TaggedAttribute attr) throws EProfileException { + SET vals = attr.getValues(); + boolean donePOP = false; + INTEGER reqId = null; + if (vals.size() > 0) { + LraPopWitness lraPop = null; + try { + lraPop = (LraPopWitness) (ASN1Util.decode(LraPopWitness.getTemplate(), + ASN1Util.encode(vals.elementAt(0)))); + } catch (InvalidBERException e) { + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_ENCODING_ERROR")); + } + + SEQUENCE bodyIds = lraPop.getBodyIds(); + reqId = crm.getCertReq().getCertReqId(); + + for (int i = 0; i < bodyIds.size(); i++) { + INTEGER num = (INTEGER) (bodyIds.elementAt(i)); + if (num.toString().equals(reqId.toString())) { + donePOP = true; + CMS.debug("EnrollProfile: skip POP for request: " + + reqId.toString() + " because LRA POP Witness control is found."); + break; + } + } + } + + if (!donePOP) { + CMS.debug("EnrollProfile: not skip POP for request: " + + reqId.toString() + + " because this request id is not part of the body list in LRA Pop witness control."); + verifyPOP(locale, crm); + } + } + + public CertReqMsg[] parseCRMF(Locale locale, String certreq) + throws EProfileException { + + /* cert request must not be null */ + if (certreq == null) { + CMS.debug("EnrollProfile: parseCRMF() certreq null"); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + CMS.debug("EnrollProfile: Start parseCRMF(): " + certreq); + + CertReqMsg msgs[] = null; + String creq = normalizeCertReq(certreq); + try { + byte data[] = CMS.AtoB(creq); + ByteArrayInputStream crmfBlobIn = + new ByteArrayInputStream(data); + SEQUENCE crmfMsgs = (SEQUENCE) + new SEQUENCE.OF_Template(new + CertReqMsg.Template()).decode(crmfBlobIn); + int nummsgs = crmfMsgs.size(); + + if (nummsgs <= 0) + return null; + msgs = new CertReqMsg[crmfMsgs.size()]; + for (int i = 0; i < nummsgs; i++) { + msgs[i] = (CertReqMsg) crmfMsgs.elementAt(i); + } + return msgs; + } catch (Exception e) { + CMS.debug("EnrollProfile: parseCRMF " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID = + new OBJECT_IDENTIFIER(new long[] { 1, 3, 6, 1, 5, 5, 7, 5, 1, 4 } + ); + + protected PKIArchiveOptions getPKIArchiveOptions(AVA ava) { + ASN1Value archVal = ava.getValue(); + ByteArrayInputStream bis = new ByteArrayInputStream( + ASN1Util.encode(archVal)); + PKIArchiveOptions archOpts = null; + + try { + archOpts = (PKIArchiveOptions) + (new PKIArchiveOptions.Template()).decode(bis); + } catch (Exception e) { + CMS.debug("EnrollProfile: getPKIArchiveOptions " + e.toString()); + } + return archOpts; + } + + public PKIArchiveOptions toPKIArchiveOptions(byte options[]) { + ByteArrayInputStream bis = new ByteArrayInputStream(options); + PKIArchiveOptions archOpts = null; + + try { + archOpts = (PKIArchiveOptions) + (new PKIArchiveOptions.Template()).decode(bis); + } catch (Exception e) { + CMS.debug("EnrollProfile: toPKIArchiveOptions " + e.toString()); + } + return archOpts; + } + + public byte[] toByteArray(PKIArchiveOptions options) { + return ASN1Util.encode(options); + } + + public void fillCertReqMsg(Locale locale, CertReqMsg certReqMsg, X509CertInfo info, + IRequest req) + throws EProfileException { + try { + CMS.debug("Start parseCertReqMsg "); + CertRequest certReq = certReqMsg.getCertReq(); + req.setExtData("bodyPartId", certReq.getCertReqId()); + // handle PKIArchiveOption (key archival) + for (int i = 0; i < certReq.numControls(); i++) { + AVA ava = certReq.controlAt(i); + + if (ava.getOID().equals(PKIARCHIVEOPTIONS_OID)) { + PKIArchiveOptions opt = getPKIArchiveOptions(ava); + + //req.set(REQUEST_ARCHIVE_OPTIONS, opt); + req.setExtData(REQUEST_ARCHIVE_OPTIONS, + toByteArray(opt)); + } + } + + CertTemplate certTemplate = certReq.getCertTemplate(); + + // parse key + SubjectPublicKeyInfo spki = certTemplate.getPublicKey(); + ByteArrayOutputStream keyout = new ByteArrayOutputStream(); + + spki.encode(keyout); + byte[] keybytes = keyout.toByteArray(); + X509Key key = new X509Key(); + + key.decode(keybytes); + + // XXX - kmccarth - this may simply undo the decoding above + // but for now it's unclear whether X509Key + // changest the format when decoding. + CertificateX509Key certKey = new CertificateX509Key(key); + ByteArrayOutputStream certKeyOut = new ByteArrayOutputStream(); + certKey.encode(certKeyOut); + req.setExtData(REQUEST_KEY, certKeyOut.toByteArray()); + + // parse validity + if (certTemplate.getNotBefore() != null || + certTemplate.getNotAfter() != null) { + CMS.debug("EnrollProfile: requested notBefore: " + certTemplate.getNotBefore()); + CMS.debug("EnrollProfile: requested notAfter: " + certTemplate.getNotAfter()); + CMS.debug("EnrollProfile: current CA time: " + new Date()); + CertificateValidity certValidity = new CertificateValidity( + certTemplate.getNotBefore(), certTemplate.getNotAfter()); + ByteArrayOutputStream certValidityOut = + new ByteArrayOutputStream(); + certValidity.encode(certValidityOut); + req.setExtData(REQUEST_VALIDITY, certValidityOut.toByteArray()); + } else { + CMS.debug("EnrollProfile: validity not supplied"); + } + + // parse subject + if (certTemplate.hasSubject()) { + Name subjectdn = certTemplate.getSubject(); + ByteArrayOutputStream subjectEncStream = + new ByteArrayOutputStream(); + + subjectdn.encode(subjectEncStream); + byte[] subjectEnc = subjectEncStream.toByteArray(); + X500Name subject = new X500Name(subjectEnc); + + //info.set(X509CertInfo.SUBJECT, + // new CertificateSubjectName(subject)); + + req.setExtData(REQUEST_SUBJECT_NAME, + new CertificateSubjectName(subject)); + try { + String subjectCN = subject.getCommonName(); + if (subjectCN == null) + subjectCN = ""; + req.setExtData(REQUEST_SUBJECT_NAME + ".cn", subjectCN); + } catch (Exception ee) { + req.setExtData(REQUEST_SUBJECT_NAME + ".cn", ""); + } + try { + String subjectUID = subject.getUserID(); + if (subjectUID == null) + subjectUID = ""; + req.setExtData(REQUEST_SUBJECT_NAME + ".uid", subjectUID); + } catch (Exception ee) { + req.setExtData(REQUEST_SUBJECT_NAME + ".uid", ""); + } + } + + // parse extensions + CertificateExtensions extensions = null; + + // try { + extensions = req.getExtDataInCertExts(REQUEST_EXTENSIONS); + // } catch (CertificateException e) { + // extensions = null; + // } catch (IOException e) { + // extensions = null; + // } + if (certTemplate.hasExtensions()) { + // put each extension from CRMF into CertInfo. + // index by extension name, consistent with + // CertificateExtensions.parseExtension() method. + if (extensions == null) + extensions = new CertificateExtensions(); + int numexts = certTemplate.numExtensions(); + + for (int j = 0; j < numexts; j++) { + org.mozilla.jss.pkix.cert.Extension jssext = + certTemplate.extensionAt(j); + boolean isCritical = jssext.getCritical(); + org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid = + jssext.getExtnId(); + long[] numbers = jssoid.getNumbers(); + int[] oidNumbers = new int[numbers.length]; + + for (int k = numbers.length - 1; k >= 0; k--) { + oidNumbers[k] = (int) numbers[k]; + } + ObjectIdentifier oid = + new ObjectIdentifier(oidNumbers); + org.mozilla.jss.asn1.OCTET_STRING jssvalue = + jssext.getExtnValue(); + ByteArrayOutputStream jssvalueout = + new ByteArrayOutputStream(); + + jssvalue.encode(jssvalueout); + byte[] extValue = jssvalueout.toByteArray(); + + Extension ext = + new Extension(oid, isCritical, extValue); + + extensions.parseExtension(ext); + } + // info.set(X509CertInfo.EXTENSIONS, extensions); + req.setExtData(REQUEST_EXTENSIONS, extensions); + + } + } catch (IOException e) { + CMS.debug("EnrollProfile: fillCertReqMsg " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } catch (InvalidKeyException e) { + CMS.debug("EnrollProfile: fillCertReqMsg " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + // } catch (CertificateException e) { + // CMS.debug("EnrollProfile: fillCertReqMsg " + e.toString()); + // throw new EProfileException(e.toString()); + } + } + + public PKCS10 parsePKCS10(Locale locale, String certreq) + throws EProfileException { + /* cert request must not be null */ + if (certreq == null) { + CMS.debug("EnrollProfile:parsePKCS10() certreq null"); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + CMS.debug("Start parsePKCS10(): " + certreq); + + // trim header and footer + String creq = normalizeCertReq(certreq); + + // parse certificate into object + byte data[] = CMS.AtoB(creq); + PKCS10 pkcs10 = null; + CryptoManager cm = null; + CryptoToken savedToken = null; + boolean sigver = true; + + try { + cm = CryptoManager.getInstance(); + sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true); + if (sigver) { + CMS.debug("EnrollProfile: parsePKCS10: signature verification enabled"); + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal"); + savedToken = cm.getThreadToken(); + CryptoToken signToken = null; + if (tokenName.equals("internal")) { + CMS.debug("EnrollProfile: parsePKCS10: use internal token"); + signToken = cm.getInternalCryptoToken(); + } else { + CMS.debug("EnrollProfile: parsePKCS10: tokenName=" + tokenName); + signToken = cm.getTokenByName(tokenName); + } + CMS.debug("EnrollProfile: parsePKCS10 setting thread token"); + cm.setThreadToken(signToken); + pkcs10 = new PKCS10(data); + } else { + CMS.debug("EnrollProfile: parsePKCS10: signature verification disabled"); + pkcs10 = new PKCS10(data, sigver); + } + } catch (Exception e) { + CMS.debug("EnrollProfile: parsePKCS10 " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } finally { + if (sigver) { + CMS.debug("EnrollProfile: parsePKCS10 restoring thread token"); + cm.setThreadToken(savedToken); + } + } + + return pkcs10; + } + + public void fillPKCS10(Locale locale, PKCS10 pkcs10, X509CertInfo info, IRequest req) + throws EProfileException { + X509Key key = pkcs10.getSubjectPublicKeyInfo(); + + try { + CertificateX509Key certKey = new CertificateX509Key(key); + ByteArrayOutputStream certKeyOut = new ByteArrayOutputStream(); + certKey.encode(certKeyOut); + req.setExtData(IEnrollProfile.REQUEST_KEY, certKeyOut.toByteArray()); + + req.setExtData(EnrollProfile.REQUEST_SUBJECT_NAME, + new CertificateSubjectName(pkcs10.getSubjectName())); + try { + String subjectCN = pkcs10.getSubjectName().getCommonName(); + if (subjectCN == null) + subjectCN = ""; + req.setExtData(REQUEST_SUBJECT_NAME + ".cn", subjectCN); + } catch (Exception ee) { + req.setExtData(REQUEST_SUBJECT_NAME + ".cn", ""); + } + try { + String subjectUID = pkcs10.getSubjectName().getUserID(); + if (subjectUID == null) + subjectUID = ""; + req.setExtData(REQUEST_SUBJECT_NAME + ".uid", subjectUID); + } catch (Exception ee) { + req.setExtData(REQUEST_SUBJECT_NAME + ".uid", ""); + } + + info.set(X509CertInfo.KEY, certKey); + + PKCS10Attributes p10Attrs = pkcs10.getAttributes(); + if (p10Attrs != null) { + PKCS10Attribute p10Attr = (PKCS10Attribute) + (p10Attrs.getAttribute(CertificateExtensions.NAME)); + if (p10Attr != null && p10Attr.getAttributeId().equals( + PKCS9Attribute.EXTENSION_REQUEST_OID)) { + CMS.debug("Found PKCS10 extension"); + Extensions exts0 = (Extensions) + (p10Attr.getAttributeValue()); + DerOutputStream extOut = new DerOutputStream(); + + exts0.encode(extOut); + byte[] extB = extOut.toByteArray(); + DerInputStream extIn = new DerInputStream(extB); + CertificateExtensions exts = new CertificateExtensions(extIn); + if (exts != null) { + CMS.debug("Set extensions " + exts); + // info.set(X509CertInfo.EXTENSIONS, exts); + req.setExtData(REQUEST_EXTENSIONS, exts); + } + } else { + CMS.debug("PKCS10 extension Not Found"); + } + } + + CMS.debug("Finish parsePKCS10 - " + pkcs10.getSubjectName()); + } catch (IOException e) { + CMS.debug("EnrollProfile: fillPKCS10 " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } catch (CertificateException e) { + CMS.debug("EnrollProfile: fillPKCS10 " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + // for netkey + public void fillNSNKEY(Locale locale, String sn, String skey, X509CertInfo info, IRequest req) + throws EProfileException { + + try { + //cfu - is the algorithm going to be replaced by the policy? + X509Key key = new X509Key(); + key.decode(CMS.AtoB(skey)); + + info.set(X509CertInfo.KEY, new CertificateX509Key(key)); + // req.set(EnrollProfile.REQUEST_SUBJECT_NAME, + // new CertificateSubjectName(new + // X500Name("CN="+sn))); + req.setExtData("screenname", sn); + // keeping "aoluid" to be backward compatible + req.setExtData("aoluid", sn); + req.setExtData("uid", sn); + CMS.debug("EnrollPrifile: fillNSNKEY(): uid=" + sn); + + } catch (Exception e) { + CMS.debug("EnrollProfile: fillNSNKEY(): " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + // for house key + public void fillNSHKEY(Locale locale, String tcuid, String skey, X509CertInfo info, IRequest req) + throws EProfileException { + + try { + //cfu - is the algorithm going to be replaced by the policy? + X509Key key = new X509Key(); + key.decode(CMS.AtoB(skey)); + + info.set(X509CertInfo.KEY, new CertificateX509Key(key)); + // req.set(EnrollProfile.REQUEST_SUBJECT_NAME, + // new CertificateSubjectName(new + // X500Name("CN="+sn))); + req.setExtData("tokencuid", tcuid); + + CMS.debug("EnrollPrifile: fillNSNKEY(): tokencuid=" + tcuid); + + } catch (Exception e) { + CMS.debug("EnrollProfile: fillNSHKEY(): " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + public DerInputStream parseKeyGen(Locale locale, String certreq) + throws EProfileException { + byte data[] = CMS.AtoB(certreq); + + DerInputStream derIn = new DerInputStream(data); + + return derIn; + } + + public void fillKeyGen(Locale locale, DerInputStream derIn, X509CertInfo info, IRequest req + ) + throws EProfileException { + try { + + /* get SPKAC Algorithm & Signature */ + DerValue derSPKACContent[] = derIn.getSequence(3); + @SuppressWarnings("unused") + AlgorithmId mAlgId = AlgorithmId.parse(derSPKACContent[1]); + @SuppressWarnings("unused") + byte mSignature[] = derSPKACContent[2].getBitString(); + + /* get PKAC SPKI & Challenge */ + byte mPKAC[] = derSPKACContent[0].toByteArray(); + + derIn = new DerInputStream(mPKAC); + DerValue derPKACContent[] = derIn.getSequence(2); + + @SuppressWarnings("unused") + DerValue mDerSPKI = derPKACContent[0]; + X509Key mSPKI = X509Key.parse(derPKACContent[0]); + + @SuppressWarnings("unused") + String mChallenge; + DerValue mDerChallenge = derPKACContent[1]; + + if (mDerChallenge.length() != 0) + mChallenge = derPKACContent[1].getIA5String(); + + CertificateX509Key certKey = new CertificateX509Key(mSPKI); + ByteArrayOutputStream certKeyOut = new ByteArrayOutputStream(); + certKey.encode(certKeyOut); + req.setExtData(IEnrollProfile.REQUEST_KEY, certKeyOut.toByteArray()); + info.set(X509CertInfo.KEY, certKey); + } catch (IOException e) { + CMS.debug("EnrollProfile: fillKeyGen " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } catch (CertificateException e) { + CMS.debug("EnrollProfile: fillKeyGen " + e.toString()); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); + } + } + + public String normalizeCertReq(String s) { + if (s == null) { + return s; + } + s = s.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", ""); + s = s.replaceAll("-----BEGIN NEW CERTIFICATE REQUEST-----", ""); + s = s.replaceAll("-----END CERTIFICATE REQUEST-----", ""); + s = s.replaceAll("-----END NEW CERTIFICATE REQUEST-----", ""); + + StringBuffer sb = new StringBuffer(); + StringTokenizer st = new StringTokenizer(s, "\r\n "); + + while (st.hasMoreTokens()) { + String nextLine = st.nextToken(); + + nextLine = nextLine.trim(); + if (nextLine.equals("-----BEGIN CERTIFICATE REQUEST-----")) + continue; + if (nextLine.equals("-----BEGIN NEW CERTIFICATE REQUEST-----")) + continue; + if (nextLine.equals("-----END CERTIFICATE REQUEST-----")) + continue; + if (nextLine.equals("-----END NEW CERTIFICATE REQUEST-----")) + continue; + sb.append(nextLine); + } + return sb.toString(); + } + + public Locale getLocale(IRequest request) { + Locale locale = null; + String language = request.getExtDataInString( + EnrollProfile.REQUEST_LOCALE); + if (language != null) { + locale = new Locale(language); + } + return locale; + } + + /** + * Populate input + *

+ * + * (either all "agent" profile cert requests NOT made through a connector, or all "EE" profile cert requests NOT + * made through a connector) + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST used when a profile cert request is made (before + * approval process) + *
+ * + * @param ctx profile context + * @param request the certificate request + * @exception EProfileException an error related to this profile has + * occurred + */ + public void populateInput(IProfileContext ctx, IRequest request) + throws EProfileException { + super.populateInput(ctx, request); + } + + public void populate(IRequest request) + throws EProfileException { + super.populate(request); + + } + + /** + * Passes the request to the set of constraint policies + * that validate the request against the profile. + */ + public void validate(IRequest request) + throws ERejectException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = auditRequesterID(request); + String auditProfileID = auditProfileID(); + String auditCertificateSubjectName = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + String subject = null; + + // try { + X509CertInfo info = request.getExtDataInCertInfo(REQUEST_CERTINFO); + + try { + CertificateSubjectName sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + + // if the cert subject name is NOT MISSING, retrieve the + // actual "auditCertificateSubjectName" and "normalize" it + if (sn != null) { + subject = sn.toString(); + if (subject != null) { + // NOTE: This is ok even if the cert subject name + // is "" (empty)! + auditCertificateSubjectName = subject.trim(); + } + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + auditProfileID, + auditCertificateSubjectName); + + audit(auditMessage); + } catch (CertificateException e) { + CMS.debug("EnrollProfile: populate " + e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditProfileID, + auditCertificateSubjectName); + + audit(auditMessage); + } catch (IOException e) { + CMS.debug("EnrollProfile: populate " + e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditProfileID, + auditCertificateSubjectName); + + audit(auditMessage); + } + + super.validate(request); + Object key = null; + + try { + key = info.get(X509CertInfo.KEY); + } catch (CertificateException e) { + } catch (IOException e) { + } + + if (key == null) { + Locale locale = getLocale(request); + + throw new ERejectException(CMS.getUserMessage( + locale, "CMS_PROFILE_EMPTY_KEY")); + } + + try { + CMS.debug("EnrollProfile certInfo : " + info); + } catch (NullPointerException e) { + // do nothing + } + } + + /** + * Signed Audit Log Requester ID + * + * This method is inherited by all extended "EnrollProfile"s, + * and is called to obtain the "RequesterID" for + * a signed audit log message. + *

+ * + * @param request the actual request + * @return id string containing the signed audit log message RequesterID + */ + protected String auditRequesterID(IRequest request) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String requesterID = ILogger.UNIDENTIFIED; + + if (request != null) { + // overwrite "requesterID" if and only if "id" != null + String id = request.getRequestId().toString(); + + if (id != null) { + requesterID = id.trim(); + } + } + + return requesterID; + } + + /** + * Signed Audit Log Profile ID + * + * This method is inherited by all extended "EnrollProfile"s, + * and is called to obtain the "ProfileID" for + * a signed audit log message. + *

+ * + * @return id string containing the signed audit log message ProfileID + */ + protected String auditProfileID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String profileID = getId(); + + if (profileID != null) { + profileID = profileID.trim(); + } else { + profileID = ILogger.UNIDENTIFIED; + } + + return profileID; + } + + public void verifyPOP(Locale locale, CertReqMsg certReqMsg) + throws EProfileException { + CMS.debug("EnrollProfile ::in verifyPOP"); + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + if (!certReqMsg.hasPop()) { + return; + } + ProofOfPossession pop = certReqMsg.getPop(); + ProofOfPossession.Type popType = pop.getType(); + + if (popType != ProofOfPossession.SIGNATURE) { + return; + } + + try { + CryptoManager cm = CryptoManager.getInstance(); + CryptoToken verifyToken = null; + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal"); + if (tokenName.equals("internal")) { + CMS.debug("POP verification using internal token"); + certReqMsg.verify(); + } else { + CMS.debug("POP verification using token:" + tokenName); + verifyToken = cm.getTokenByName(tokenName); + certReqMsg.verify(verifyToken); + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.SUCCESS); + audit(auditMessage); + } catch (Exception e) { + + CMS.debug("Failed POP verify! " + e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.FAILURE); + + audit(auditMessage); + + throw new EProfileException(CMS.getUserMessage(locale, + "CMS_POP_VERIFICATION_ERROR")); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java b/base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java new file mode 100644 index 000000000..3610520fd --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/EnrollProfileContext.java @@ -0,0 +1,31 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import com.netscape.certsrv.profile.IProfileContext; + +/** + * This class implements an enrollment profile context + * that carries information for request creation. + * + * @version $Revision$, $Date$ + */ +public class EnrollProfileContext extends ProfileContext + implements IProfileContext { + +} diff --git a/base/common/src/com/netscape/cms/profile/common/ProfileContext.java b/base/common/src/com/netscape/cms/profile/common/ProfileContext.java new file mode 100644 index 000000000..7d0686378 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/ProfileContext.java @@ -0,0 +1,39 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import java.util.Hashtable; + +import com.netscape.certsrv.profile.IProfileContext; + +/** + * This class implements the profile context. + * + * @version $Revision$, $Date$ + */ +public class ProfileContext implements IProfileContext { + private Hashtable m_Attrs = new Hashtable(); + + public void set(String name, String value) { + m_Attrs.put(name, value); + } + + public String get(String name) { + return m_Attrs.get(name); + } +} diff --git a/base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java b/base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java new file mode 100644 index 000000000..a8a90aef9 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/ProfilePolicy.java @@ -0,0 +1,53 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import com.netscape.certsrv.profile.IPolicyConstraint; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfilePolicy; + +/** + * This class implements a profile policy that + * contains a default policy and a constraint + * policy. + * + * @version $Revision$, $Date$ + */ +public class ProfilePolicy implements IProfilePolicy { + private String mId = null; + private IPolicyDefault mDefault = null; + private IPolicyConstraint mConstraint = null; + + public ProfilePolicy(String id, IPolicyDefault def, IPolicyConstraint constraint) { + mId = id; + mDefault = def; + mConstraint = constraint; + } + + public String getId() { + return mId; + } + + public IPolicyDefault getDefault() { + return mDefault; + } + + public IPolicyConstraint getConstraint() { + return mConstraint; + } +} diff --git a/base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java new file mode 100644 index 000000000..36bac1fa7 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/RAEnrollProfile.java @@ -0,0 +1,128 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import java.util.Enumeration; + +import netscape.security.x509.X500Name; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.connector.IConnector; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.ra.IRAService; +import com.netscape.certsrv.ra.IRegistrationAuthority; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.IRequestListener; +import com.netscape.certsrv.request.IRequestQueue; +import com.netscape.certsrv.request.RequestStatus; + +/** + * This class implements a Registration Manager + * enrollment profile. + * + * @version $Revision$, $Date$ + */ +public class RAEnrollProfile extends EnrollProfile { + + public RAEnrollProfile() { + super(); + } + + public IAuthority getAuthority() { + IAuthority authority = (IAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_RA); + + if (authority == null) + return null; + return authority; + } + + public X500Name getIssuerName() { + IRegistrationAuthority ra = (IRegistrationAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_RA); + X500Name issuerName = ra.getX500Name(); + + return issuerName; + } + + public void execute(IRequest request) + throws EProfileException { + + if (!isEnable()) { + CMS.debug("CAEnrollProfile: Profile Not Enabled"); + throw new EProfileException("Profile Not Enabled"); + } + + IRegistrationAuthority ra = + (IRegistrationAuthority) getAuthority(); + IRAService raService = (IRAService) ra.getRAService(); + + if (raService == null) { + throw new EProfileException("No RA Service"); + } + + IRequestQueue queue = ra.getRequestQueue(); + + // send request to CA + try { + IConnector caConnector = raService.getCAConnector(); + + if (caConnector == null) { + CMS.debug("RAEnrollProfile: CA connector not configured"); + } else { + caConnector.send(request); + // check response + if (!request.isSuccess()) { + CMS.debug("RAEnrollProfile error talking to CA setting req status to SVC_PENDING"); + + request.setRequestStatus(RequestStatus.SVC_PENDING); + + try { + queue.updateRequest(request); + } catch (EBaseException e) { + CMS.debug("RAEnrollProfile: Update request " + e.toString()); + } + throw new ERejectException( + request.getError(getLocale(request))); + } + } + } catch (Exception e) { + CMS.debug("RAEnrollProfile: " + e.toString()); + throw new EProfileException(e.toString()); + } + + // request handling + Enumeration names = ra.getRequestListenerNames(); + + if (names != null) { + while (names.hasMoreElements()) { + String name = names.nextElement(); + + CMS.debug("CAEnrollProfile: listener " + name); + IRequestListener listener = ra.getRequestListener(name); + + if (listener != null) { + listener.accept(request); + } + } + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java new file mode 100644 index 000000000..9be1e43c4 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java @@ -0,0 +1,100 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfileEx; +import com.netscape.certsrv.profile.IProfilePolicy; + +/** + * This class implements a Certificate Manager enrollment + * profile for Server Certificates. + * + * @version $Revision$, $Date$ + */ +public class ServerCertCAEnrollProfile extends CAEnrollProfile + implements IProfileEx { + + /** + * Called after initialization. It populates default + * policies, inputs, and outputs. + */ + public void populate() throws EBaseException { + // create inputs + NameValuePairs inputParams1 = new NameValuePairs(); + createProfileInput("i1", "certReqInputImpl", inputParams1); + NameValuePairs inputParams2 = new NameValuePairs(); + createProfileInput("i2", "submitterInfoInputImpl", inputParams2); + + // create outputs + NameValuePairs outputParams1 = new NameValuePairs(); + createProfileOutput("o1", "certOutputImpl", outputParams1); + + createProfilePolicy("set1", "p1", + "userSubjectNameDefaultImpl", "noConstraintImpl"); + + IProfilePolicy policy2 = + createProfilePolicy("set1", "p2", + "validityDefaultImpl", "noConstraintImpl"); + IPolicyDefault def2 = policy2.getDefault(); + IConfigStore defConfig2 = def2.getConfigStore(); + defConfig2.putString("params.range", "180"); + defConfig2.putString("params.startTime", "0"); + + IProfilePolicy policy3 = + createProfilePolicy("set1", "p3", + "userKeyDefaultImpl", "noConstraintImpl"); + IPolicyDefault def3 = policy3.getDefault(); + IConfigStore defConfig3 = def3.getConfigStore(); + defConfig3.putString("params.keyType", "RSA"); + defConfig3.putString("params.keyMinLength", "512"); + defConfig3.putString("params.keyMaxLength", "4096"); + + IProfilePolicy policy4 = + createProfilePolicy("set1", "p4", + "signingAlgDefaultImpl", "noConstraintImpl"); + IPolicyDefault def4 = policy4.getDefault(); + IConfigStore defConfig4 = def4.getConfigStore(); + defConfig4.putString("params.signingAlg", "-"); + defConfig4 + .putString( + "params.signingAlgsAllowed", + "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); + + IProfilePolicy policy5 = + createProfilePolicy("set1", "p5", + "keyUsageExtDefaultImpl", "noConstraintImpl"); + IPolicyDefault def5 = policy5.getDefault(); + IConfigStore defConfig5 = def5.getConfigStore(); + defConfig5.putString("params.keyUsageCritical", "true"); + defConfig5.putString("params.keyUsageCrlSign", "false"); + defConfig5.putString("params.keyUsageDataEncipherment", "true"); + defConfig5.putString("params.keyUsageDecipherOnly", "false"); + defConfig5.putString("params.keyUsageDigitalSignature", "true"); + defConfig5.putString("params.keyUsageEncipherOnly", "false"); + defConfig5.putString("params.keyUsageKeyAgreement", "false"); + defConfig5.putString("params.keyUsageKeyCertSign", "false"); + defConfig5.putString("params.keyUsageKeyEncipherment", "true"); + defConfig5.putString("params.keyUsageNonRepudiation", "true"); + + } + +} diff --git a/base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java new file mode 100644 index 000000000..3f1cdfb21 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java @@ -0,0 +1,100 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.common; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfileEx; +import com.netscape.certsrv.profile.IProfilePolicy; + +/** + * This class implements a Certificate Manager enrollment + * profile for User Certificates. + * + * @version $Revision$, $Date$ + */ +public class UserCertCAEnrollProfile extends CAEnrollProfile + implements IProfileEx { + + /** + * Called after initialization. It populates default + * policies, inputs, and outputs. + */ + public void populate() throws EBaseException { + // create inputs + NameValuePairs inputParams1 = new NameValuePairs(); + createProfileInput("i1", "keyGenInputImpl", inputParams1); + NameValuePairs inputParams2 = new NameValuePairs(); + createProfileInput("i2", "subjectNameInputImpl", inputParams2); + createProfileInput("i3", "submitterInfoInputImpl", inputParams2); + + // create outputs + NameValuePairs outputParams1 = new NameValuePairs(); + createProfileOutput("o1", "certOutputImpl", outputParams1); + + // create policies + createProfilePolicy("set1", "p1", + "userSubjectNameDefaultImpl", "noConstraintImpl"); + + IProfilePolicy policy2 = + createProfilePolicy("set1", "p2", + "validityDefaultImpl", "noConstraintImpl"); + IPolicyDefault def2 = policy2.getDefault(); + IConfigStore defConfig2 = def2.getConfigStore(); + defConfig2.putString("params.range", "180"); + defConfig2.putString("params.startTime", "0"); + + IProfilePolicy policy3 = + createProfilePolicy("set1", "p3", + "userKeyDefaultImpl", "noConstraintImpl"); + IPolicyDefault def3 = policy3.getDefault(); + IConfigStore defConfig3 = def3.getConfigStore(); + defConfig3.putString("params.keyType", "RSA"); + defConfig3.putString("params.keyMinLength", "512"); + defConfig3.putString("params.keyMaxLength", "4096"); + + IProfilePolicy policy4 = + createProfilePolicy("set1", "p4", + "signingAlgDefaultImpl", "noConstraintImpl"); + IPolicyDefault def4 = policy4.getDefault(); + IConfigStore defConfig4 = def4.getConfigStore(); + defConfig4.putString("params.signingAlg", "-"); + defConfig4 + .putString( + "params.signingAlgsAllowed", + "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); + + IProfilePolicy policy5 = + createProfilePolicy("set1", "p5", + "keyUsageExtDefaultImpl", "noConstraintImpl"); + IPolicyDefault def5 = policy5.getDefault(); + IConfigStore defConfig5 = def5.getConfigStore(); + defConfig5.putString("params.keyUsageCritical", "true"); + defConfig5.putString("params.keyUsageCrlSign", "false"); + defConfig5.putString("params.keyUsageDataEncipherment", "false"); + defConfig5.putString("params.keyUsageDecipherOnly", "false"); + defConfig5.putString("params.keyUsageDigitalSignature", "true"); + defConfig5.putString("params.keyUsageEncipherOnly", "false"); + defConfig5.putString("params.keyUsageKeyAgreement", "false"); + defConfig5.putString("params.keyUsageKeyCertSign", "false"); + defConfig5.putString("params.keyUsageKeyEncipherment", "true"); + defConfig5.putString("params.keyUsageNonRepudiation", "true"); + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java new file mode 100644 index 000000000..f924c587f --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java @@ -0,0 +1,224 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.BasicConstraintsExtension; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.BasicConstraintsExtDefault; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.UserExtensionDefault; + +/** + * This class implements the basic constraints extension constraint. + * It checks if the basic constraint in the certificate + * template satisfies the criteria. + * + * @version $Revision$, $Date$ + */ +public class BasicConstraintsExtConstraint extends EnrollConstraint { + + public static final String CONFIG_CRITICAL = + "basicConstraintsCritical"; + public static final String CONFIG_IS_CA = + "basicConstraintsIsCA"; + public static final String CONFIG_MIN_PATH_LEN = + "basicConstraintsMinPathLen"; + public static final String CONFIG_MAX_PATH_LEN = + "basicConstraintsMaxPathLen"; + + public BasicConstraintsExtConstraint() { + super(); + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_IS_CA); + addConfigName(CONFIG_MIN_PATH_LEN); + addConfigName(CONFIG_MAX_PATH_LEN); + } + + /** + * Initializes this constraint plugin. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_IS_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_IS_CA")); + } else if (name.equals(CONFIG_MIN_PATH_LEN)) { + return new Descriptor(IDescriptor.INTEGER, null, + "-1", + CMS.getUserMessage(locale, "CMS_PROFILE_MIN_PATH_LEN")); + } else if (name.equals(CONFIG_MAX_PATH_LEN)) { + return new Descriptor(IDescriptor.INTEGER, null, + "100", + CMS.getUserMessage(locale, "CMS_PROFILE_MAX_PATH_LEN")); + } + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + + try { + BasicConstraintsExtension ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), + info); + + if (ext == null) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + PKIXExtensions.BasicConstraints_Id.toString())); + } + + // check criticality + String value = getConfig(CONFIG_CRITICAL); + + if (!isOptional(value)) { + boolean critical = getBoolean(value); + + if (critical != ext.isCritical()) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + } + } + value = getConfig(CONFIG_IS_CA); + if (!isOptional(value)) { + boolean isCA = getBoolean(value); + Boolean extIsCA = (Boolean) ext.get(BasicConstraintsExtension.IS_CA); + + if (isCA != extIsCA.booleanValue()) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_IS_CA")); + } + } + value = getConfig(CONFIG_MIN_PATH_LEN); + if (!isOptional(value)) { + int pathLen = getInt(value); + Integer extPathLen = (Integer) ext.get(BasicConstraintsExtension.PATH_LEN); + + if (pathLen > extPathLen.intValue()) { + CMS.debug("BasicCOnstraintsExtConstraint: pathLen=" + pathLen + " > extPathLen=" + extPathLen); + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MIN_PATH")); + } + } + value = getConfig(CONFIG_MAX_PATH_LEN); + if (!isOptional(value)) { + int pathLen = getInt(value); + Integer extPathLen = (Integer) ext.get(BasicConstraintsExtension.PATH_LEN); + + if (pathLen < extPathLen.intValue()) { + CMS.debug("BasicCOnstraintsExtConstraint: pathLen=" + pathLen + " < extPathLen=" + extPathLen); + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_MAX_PATH")); + } + } + } catch (IOException e) { + CMS.debug("BasicConstraintsExt: validate " + e.toString()); + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + PKIXExtensions.BasicConstraints_Id.toString())); + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_IS_CA), + getConfig(CONFIG_MIN_PATH_LEN), + getConfig(CONFIG_MAX_PATH_LEN) + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_BASIC_CONSTRAINTS_EXT_TEXT", + params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof BasicConstraintsExtDefault) + return true; + if (def instanceof UserExtensionDefault) + return true; + return false; + } + + public void setConfig(String name, String value) + throws EPropertyException { + + if (mConfig.getSubStore("params") == null) { + CMS.debug("BasicConstraintsExt: mConfig.getSubStore is null"); + // + } else { + + CMS.debug("BasicConstraintsExt: setConfig name " + name + " value " + value); + + if (name.equals(CONFIG_MAX_PATH_LEN)) { + + String minPathLen = getConfig(CONFIG_MIN_PATH_LEN); + + int minLen = getInt(minPathLen); + + int maxLen = getInt(value); + + if (minLen >= maxLen) { + CMS.debug("BasicConstraintExt: minPathLen >= maxPathLen!"); + + throw new EPropertyException("bad value"); + } + + } + mConfig.getSubStore("params").putString(name, value); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java new file mode 100644 index 000000000..c0a9758da --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/CAEnrollConstraint.java @@ -0,0 +1,48 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.ca.ICertificateAuthority; + +/** + * This class represents an abstract class for CA enrollment + * constraint. + */ +public abstract class CAEnrollConstraint extends EnrollConstraint { + + /** + * Constructs a CA enrollment constraint. + */ + public CAEnrollConstraint() { + super(); + } + + /** + * Retrieves the CA certificate. + */ + public X509CertImpl getCACert() { + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + X509CertImpl caCert = ca.getCACert(); + + return caCert; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java new file mode 100644 index 000000000..e118fa215 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java @@ -0,0 +1,139 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.io.IOException; +import java.util.Date; +import java.util.Locale; + +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.CAValidityDefault; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.UserValidityDefault; +import com.netscape.cms.profile.def.ValidityDefault; + +/** + * This class implements the validity constraint. + * It checks if the validity in the certificate + * template is within the CA's validity. + * + * @version $Revision$, $Date$ + */ +public class CAValidityConstraint extends CAEnrollConstraint { + + private Date mDefNotBefore = null; + private Date mDefNotAfter = null; + + public CAValidityConstraint() { + super(); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + X509CertImpl caCert = getCACert(); + + mDefNotBefore = caCert.getNotBefore(); + mDefNotAfter = caCert.getNotAfter(); + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + CMS.debug("CAValidityConstraint: validate start"); + CertificateValidity v = null; + + try { + v = (CertificateValidity) info.get(X509CertInfo.VALIDITY); + } catch (Exception e) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_VALIDITY_NOT_FOUND")); + } + Date notBefore = null; + + try { + notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE); + } catch (IOException e) { + CMS.debug("CAValidity: not before " + e.toString()); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE")); + } + Date notAfter = null; + + try { + notAfter = (Date) v.get(CertificateValidity.NOT_AFTER); + } catch (IOException e) { + CMS.debug("CAValidity: not after " + e.toString()); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER")); + } + + if (mDefNotBefore != null) { + CMS.debug("ValidtyConstraint: notBefore=" + notBefore + + " defNotBefore=" + mDefNotBefore); + if (notBefore.before(mDefNotBefore)) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE")); + } + } + CMS.debug("ValidtyConstraint: notAfter=" + notAfter + + " defNotAfter=" + mDefNotAfter); + if (notAfter.after(mDefNotAfter)) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER")); + } + + CMS.debug("CAValidtyConstraint: validate end"); + } + + public String getText(Locale locale) { + String params[] = { + mDefNotBefore.toString(), + mDefNotAfter.toString() + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_CA_VALIDITY_CONSTRAINT_TEXT", + params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof UserValidityDefault) + return true; + if (def instanceof ValidityDefault) + return true; + if (def instanceof CAValidityDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java new file mode 100644 index 000000000..40c2153a8 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/EnrollConstraint.java @@ -0,0 +1,214 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.Extension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyConstraint; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the generic enrollment constraint. + * + * @version $Revision$, $Date$ + */ +public abstract class EnrollConstraint implements IPolicyConstraint { + public static final String CONFIG_NAME = "name"; + + protected IConfigStore mConfig = null; + protected Vector mConfigNames = new Vector(); + + public EnrollConstraint() { + } + + public Enumeration getConfigNames() { + return mConfigNames.elements(); + } + + public void addConfigName(String name) { + mConfigNames.addElement(name); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + return null; + } + + public Locale getLocale(IRequest request) { + Locale locale = null; + String language = request.getExtDataInString( + EnrollProfile.REQUEST_LOCALE); + if (language != null) { + locale = new Locale(language); + } + return locale; + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (mConfig.getSubStore("params") == null) { + // + } else { + mConfig.getSubStore("params").putString(name, value); + } + } + + public String getConfig(String name) { + try { + if (mConfig == null) + return null; + if (mConfig.getSubStore("params") != null) { + String val = mConfig.getSubStore("params").getString(name); + + return val; + } + } catch (EBaseException e) { + CMS.debug(e.toString()); + } + return ""; + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + mConfig = config; + } + + public IConfigStore getConfigStore() { + return mConfig; + } + + /** + * Validates the request. The request is not modified + * during the validation. + * + * @param request enrollment request + * @param info certificate template + * @exception ERejectException request is rejected due + * to violation of constraint + */ + public abstract void validate(IRequest request, X509CertInfo info) + throws ERejectException; + + /** + * Validates the request. The request is not modified + * during the validation. + * + * The current implementation of this method calls + * into the subclass's validate(request, info) + * method for validation checking. + * + * @param request request + * @exception ERejectException request is rejected due + * to violation of constraint + */ + public void validate(IRequest request) + throws ERejectException { + String name = getClass().getName(); + + name = name.substring(name.lastIndexOf('.') + 1); + CMS.debug(name + ": validate start"); + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + validate(request, info); + + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + CMS.debug(name + ": validate end"); + } + + public String getText(Locale locale) { + return "Enroll Constraint"; + } + + public String getName(Locale locale) { + try { + return mConfig.getString(CONFIG_NAME); + } catch (EBaseException e) { + return null; + } + } + + protected Extension getExtension(String name, X509CertInfo info) { + CertificateExtensions exts = null; + + try { + exts = (CertificateExtensions) + info.get(X509CertInfo.EXTENSIONS); + } catch (Exception e) { + CMS.debug("EnrollConstraint: getExtension " + e.toString()); + } + if (exts == null) + return null; + Enumeration e = exts.getAttributes(); + + while (e.hasMoreElements()) { + Extension ext = e.nextElement(); + + if (ext.getExtensionId().toString().equals(name)) { + return ext; + } + } + return null; + } + + protected boolean isOptional(String value) { + if (value.equals("") || value.equals("-")) + return true; + else + return false; + } + + protected boolean getBoolean(String value) { + return Boolean.valueOf(value).booleanValue(); + } + + protected int getInt(String value) { + return Integer.valueOf(value).intValue(); + } + + protected boolean getConfigBoolean(String value) { + return getBoolean(getConfig(value)); + } + + protected int getConfigInt(String value) { + return getInt(getConfig(value)); + } + + public boolean isApplicable(IPolicyDefault def) { + return true; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java new file mode 100644 index 000000000..3c737e8a5 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/ExtendedKeyUsageExtConstraint.java @@ -0,0 +1,156 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.Vector; + +import netscape.security.extensions.ExtendedKeyUsageExtension; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.UserExtensionDefault; + +/** + * This class implements the extended key usage extension constraint. + * It checks if the extended key usage extension in the certificate + * template satisfies the criteria. + * + * @version $Revision$, $Date$ + */ +public class ExtendedKeyUsageExtConstraint extends EnrollConstraint { + + public static final String CONFIG_CRITICAL = "exKeyUsageCritical"; + public static final String CONFIG_OIDS = + "exKeyUsageOIDs"; + + public ExtendedKeyUsageExtConstraint() { + super(); + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_OIDS); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_OIDS)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_OIDS")); + } + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + ExtendedKeyUsageExtension ext = (ExtendedKeyUsageExtension) + getExtension(ExtendedKeyUsageExtension.OID, info); + + if (ext == null) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + ExtendedKeyUsageExtension.OID)); + } + + // check criticality + String value = getConfig(CONFIG_CRITICAL); + + if (!isOptional(value)) { + boolean critical = getBoolean(value); + + if (critical != ext.isCritical()) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + } + } + + // Build local cache of configured OIDs + Vector mCache = new Vector(); + StringTokenizer st = new StringTokenizer(getConfig(CONFIG_OIDS), ","); + + while (st.hasMoreTokens()) { + String oid = st.nextToken(); + + mCache.addElement(oid); + } + + // check OIDs + Enumeration e = ext.getOIDs(); + + while (e.hasMoreElements()) { + ObjectIdentifier oid = e.nextElement(); + + if (!mCache.contains(oid.toString())) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_OID_NOT_MATCHED", + oid.toString())); + } + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_OIDS) + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_EXTENDED_KEY_EXT_TEXT", + params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof ExtendedKeyUsageExtDefault) + return true; + if (def instanceof UserExtensionDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java new file mode 100644 index 000000000..1562fddb8 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/ExtensionConstraint.java @@ -0,0 +1,146 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Locale; + +import netscape.security.x509.Extension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.EnrollExtDefault; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.UserExtensionDefault; + +/** + * This class implements the general extension constraint. + * It checks if the extension in the certificate + * template satisfies the criteria. + * + * @version $Revision$, $Date$ + */ +public class ExtensionConstraint extends EnrollConstraint { + + public static final String CONFIG_CRITICAL = "extCritical"; + public static final String CONFIG_OID = "extOID"; + + public ExtensionConstraint() { + super(); + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_OID); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public void setConfig(String name, String value) + throws EPropertyException { + + if (mConfig.getSubStore("params") == null) { + CMS.debug("ExtensionConstraint: mConfig.getSubStore is null"); + } else { + CMS.debug("ExtensionConstraint: setConfig name=" + name + + " value=" + value); + + if (name.equals(CONFIG_OID)) { + try { + CMS.checkOID("", value); + } catch (Exception e) { + throw new EPropertyException( + CMS.getUserMessage("CMS_PROFILE_PROPERTY_ERROR", value)); + } + } + mConfig.getSubStore("params").putString(name, value); + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_OID)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_OID")); + } + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + + Extension ext = getExtension(getConfig(CONFIG_OID), info); + + if (ext == null) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + getConfig(CONFIG_OID))); + } + + // check criticality + String value = getConfig(CONFIG_CRITICAL); + + if (!isOptional(value)) { + boolean critical = getBoolean(value); + + if (critical != ext.isCritical()) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + } + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_OID) + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_EXTENSION_TEXT", params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof UserExtensionDefault) + return true; + if (def instanceof EnrollExtDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java new file mode 100644 index 000000000..e6f5019a0 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/KeyConstraint.java @@ -0,0 +1,644 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.math.BigInteger; +import java.security.interfaces.DSAParams; +import java.util.HashMap; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.provider.DSAPublicKey; +import netscape.security.provider.RSAPublicKey; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509Key; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.UserKeyDefault; + +/** + * This constraint is to check the key type and + * key length. + * + * @version $Revision$, $Date$ + */ +@SuppressWarnings("serial") +public class KeyConstraint extends EnrollConstraint { + + public static final String CONFIG_KEY_TYPE = "keyType"; // (EC, RSA) + public static final String CONFIG_KEY_PARAMETERS = "keyParameters"; + + private static final String[] ecCurves = { + "nistp256", "nistp384", "nistp521", "sect163k1", "nistk163", "sect163r1", "sect163r2", + "nistb163", "sect193r1", "sect193r2", "sect233k1", "nistk233", "sect233r1", "nistb233", "sect239k1", + "sect283k1", "nistk283", + "sect283r1", "nistb283", "sect409k1", "nistk409", "sect409r1", "nistb409", "sect571k1", "nistk571", + "sect571r1", "nistb571", + "secp160k1", "secp160r1", "secp160r2", "secp192k1", "secp192r1", "nistp192", "secp224k1", "secp224r1", + "nistp224", "secp256k1", + "secp256r1", "secp384r1", "secp521r1", "prime192v1", "prime192v2", "prime192v3", "prime239v1", + "prime239v2", "prime239v3", "c2pnb163v1", + "c2pnb163v2", "c2pnb163v3", "c2pnb176v1", "c2tnb191v1", "c2tnb191v2", "c2tnb191v3", "c2pnb208w1", + "c2tnb239v1", "c2tnb239v2", "c2tnb239v3", + "c2pnb272w1", "c2pnb304w1", "c2tnb359w1", "c2pnb368w1", "c2tnb431r1", "secp112r1", "secp112r2", + "secp128r1", "secp128r2", "sect113r1", "sect113r2", + "sect131r1", "sect131r2" + }; + + private final static HashMap> ecOIDs = new HashMap>(); + static { + ecOIDs.put("1.2.840.10045.3.1.7", new Vector() { + { + add("nistp256"); + add("secp256r1"); + } + }); + ecOIDs.put("1.3.132.0.34", new Vector() { + { + add("nistp384"); + add("secp384r1"); + } + }); + ecOIDs.put("1.3.132.0.35", new Vector() { + { + add("nistp521"); + add("secp521r1"); + } + }); + ecOIDs.put("1.3.132.0.1", new Vector() { + { + add("sect163k1"); + add("nistk163"); + } + }); + ecOIDs.put("1.3.132.0.2", new Vector() { + { + add("sect163r1"); + } + }); + ecOIDs.put("1.3.132.0.15", new Vector() { + { + add("sect163r2"); + add("nistb163"); + } + }); + ecOIDs.put("1.3.132.0.24", new Vector() { + { + add("sect193r1"); + } + }); + ecOIDs.put("1.3.132.0.25", new Vector() { + { + add("sect193r2"); + } + }); + ecOIDs.put("1.3.132.0.26", new Vector() { + { + add("sect233k1"); + add("nistk233"); + } + }); + ecOIDs.put("1.3.132.0.27", new Vector() { + { + add("sect233r1"); + add("nistb233"); + } + }); + ecOIDs.put("1.3.132.0.3", new Vector() { + { + add("sect239k1"); + } + }); + ecOIDs.put("1.3.132.0.16", new Vector() { + { + add("sect283k1"); + add("nistk283"); + } + }); + ecOIDs.put("1.3.132.0.17", new Vector() { + { + add("sect283r1"); + add("nistb283"); + } + }); + ecOIDs.put("1.3.132.0.36", new Vector() { + { + add("sect409k1"); + add("nistk409"); + } + }); + ecOIDs.put("1.3.132.0.37", new Vector() { + { + add("sect409r1"); + add("nistb409"); + } + }); + ecOIDs.put("1.3.132.0.38", new Vector() { + { + add("sect571k1"); + add("nistk571"); + } + }); + ecOIDs.put("1.3.132.0.39", new Vector() { + { + add("sect571r1"); + add("nistb571"); + } + }); + ecOIDs.put("1.3.132.0.9", new Vector() { + { + add("secp160k1"); + } + }); + ecOIDs.put("1.3.132.0.8", new Vector() { + { + add("secp160r1"); + } + }); + ecOIDs.put("1.3.132.0.30", new Vector() { + { + add("secp160r2"); + } + }); + ecOIDs.put("1.3.132.0.31", new Vector() { + { + add("secp192k1"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.1", new Vector() { + { + add("secp192r1"); + add("nistp192"); + add("prime192v1"); + } + }); + ecOIDs.put("1.3.132.0.32", new Vector() { + { + add("secp224k1"); + } + }); + ecOIDs.put("1.3.132.0.33", new Vector() { + { + add("secp224r1"); + add("nistp224"); + } + }); + ecOIDs.put("1.3.132.0.10", new Vector() { + { + add("secp256k1"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.2", new Vector() { + { + add("prime192v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.3", new Vector() { + { + add("prime192v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.4", new Vector() { + { + add("prime239v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.5", new Vector() { + { + add("prime239v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.1.6", new Vector() { + { + add("prime239v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.1", new Vector() { + { + add("c2pnb163v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.2", new Vector() { + { + add("c2pnb163v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.3", new Vector() { + { + add("c2pnb163v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.4", new Vector() { + { + add("c2pnb176v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.5", new Vector() { + { + add("c2tnb191v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.6", new Vector() { + { + add("c2tnb191v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.7", new Vector() { + { + add("c2tnb191v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.10", new Vector() { + { + add("c2pnb208w1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.11", new Vector() { + { + add("c2tnb239v1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.12", new Vector() { + { + add("c2tnb239v2"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.13", new Vector() { + { + add("c2tnb239v3"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.16", new Vector() { + { + add("c2pnb272w1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.17", new Vector() { + { + add("c2pnb304w1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.19", new Vector() { + { + add("c2pnb368w1"); + } + }); + ecOIDs.put("1.2.840.10045.3.0.20", new Vector() { + { + add("c2tnb431r1"); + } + }); + ecOIDs.put("1.3.132.0.6", new Vector() { + { + add("secp112r1"); + } + }); + ecOIDs.put("1.3.132.0.7", new Vector() { + { + add("secp112r2"); + } + }); + ecOIDs.put("1.3.132.0.28", new Vector() { + { + add("secp128r1"); + } + }); + ecOIDs.put("1.3.132.0.29", new Vector() { + { + add("secp128r2"); + } + }); + ecOIDs.put("1.3.132.0.4", new Vector() { + { + add("sect113r1"); + } + }); + ecOIDs.put("1.3.132.0.5", new Vector() { + { + add("sect113r2"); + } + }); + ecOIDs.put("1.3.132.0.22", new Vector() { + { + add("sect131r1"); + } + }); + ecOIDs.put("1.3.132.0.23", new Vector() { + { + add("sect131r2"); + } + }); + } + + private static String[] cfgECCurves = null; + private static String keyType = ""; + private static String keyParams = ""; + + public KeyConstraint() { + super(); + addConfigName(CONFIG_KEY_TYPE); + addConfigName(CONFIG_KEY_PARAMETERS); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + + String ecNames = ""; + try { + ecNames = CMS.getConfigStore().getString("keys.ecc.curve.list"); + } catch (Exception e) { + } + + CMS.debug("KeyConstraint.init ecNames: " + ecNames); + if (ecNames != null && ecNames.length() != 0) { + cfgECCurves = ecNames.split(","); + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_KEY_TYPE)) { + return new Descriptor(IDescriptor.CHOICE, "-,RSA,EC", + "RSA", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_TYPE")); + } else if (name.equals(CONFIG_KEY_PARAMETERS)) { + return new Descriptor(IDescriptor.STRING, null, "", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_PARAMETERS")); + } + + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + try { + CertificateX509Key infokey = (CertificateX509Key) + info.get(X509CertInfo.KEY); + X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); + + String alg = key.getAlgorithmId().getName().toUpperCase(); + String value = getConfig(CONFIG_KEY_TYPE); + String keyType = value; + + if (!isOptional(value)) { + if (!alg.equals(value)) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_TYPE_NOT_MATCHED", + value)); + } + } + + int keySize = 0; + + if (alg.equals("RSA")) { + keySize = getRSAKeyLen(key); + } else if (alg.equals("DSA")) { + keySize = getDSAKeyLen(key); + } else if (alg.equals("EC")) { + //EC key case. + } else { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_INVALID_KEY_TYPE", + alg)); + } + + value = getConfig(CONFIG_KEY_PARAMETERS); + + String[] keyParams = value.split(","); + + if (alg.equals("EC")) { + if (!alg.equals(keyType) && !isOptional(keyType)) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED", + value)); + } + + AlgorithmId algid = key.getAlgorithmId(); + + CMS.debug("algId: " + algid); + + //Get raw string representation of alg parameters, will give + //us the curve OID. + + String params = null; + if (algid != null) { + params = algid.getParametersString(); + } + + if (params.startsWith("OID.")) { + params = params.substring(4); + } + + CMS.debug("EC key OID: " + params); + Vector vect = ecOIDs.get(params); + + boolean curveFound = false; + + if (vect != null) { + CMS.debug("vect: " + vect.toString()); + + if (!isOptional(keyType)) { + //Check the curve parameters only if explicit ECC or not optional + for (int i = 0; i < keyParams.length; i++) { + String ecParam = keyParams[i]; + CMS.debug("keyParams[i]: " + i + " param: " + ecParam); + if (vect.contains(ecParam)) { + curveFound = true; + CMS.debug("KeyConstraint.validate: EC key constrainst passed."); + break; + } + } + } else { + curveFound = true; + } + } + + if (!curveFound) { + CMS.debug("KeyConstraint.validate: EC key constrainst failed."); + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED", + value)); + } + + } else { + if (!arrayContainsString(keyParams, Integer.toString(keySize))) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_KEY_PARAMS_NOT_MATCHED", + value)); + } + CMS.debug("KeyConstraint.validate: RSA key contraints passed."); + } + } catch (Exception e) { + if (e instanceof ERejectException) { + throw (ERejectException) e; + } + CMS.debug("KeyConstraint: " + e.toString()); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_KEY_NOT_FOUND")); + } + } + + public int getRSAKeyLen(X509Key key) throws Exception { + X509Key newkey = null; + + try { + newkey = new X509Key(AlgorithmId.get("RSA"), + key.getKey()); + } catch (Exception e) { + CMS.debug("KeyConstraint: getRSAKey Len " + e.toString()); + return -1; + } + RSAPublicKey rsaKey = new RSAPublicKey(newkey.getEncoded()); + + return rsaKey.getKeySize(); + } + + public int getDSAKeyLen(X509Key key) throws Exception { + // Check DSAKey parameters. + // size refers to the p parameter. + DSAPublicKey dsaKey = new DSAPublicKey(key.getEncoded()); + DSAParams keyParams = dsaKey.getParams(); + BigInteger p = keyParams.getP(); + int len = p.bitLength(); + + return len; + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_KEY_TYPE), + getConfig(CONFIG_KEY_PARAMETERS) + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_KEY_TEXT", params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof UserKeyDefault) + return true; + return false; + } + + public void setConfig(String name, String value) + throws EPropertyException { + + CMS.debug("KeyConstraint.setConfig name: " + name + " value: " + value); + //establish keyType, we don't know which order these params will arrive + if (name.equals(CONFIG_KEY_TYPE)) { + keyType = value; + if (keyParams.equals("")) + return; + } + + //establish keyParams + if (name.equals(CONFIG_KEY_PARAMETERS)) { + CMS.debug("establish keyParams: " + value); + keyParams = value; + + if (keyType.equals("")) + return; + } + // All the params we need for validation have been collected, + // we don't know which order they will show up + if (keyType.length() > 0 && keyParams.length() > 0) { + String[] params = keyParams.split(","); + boolean isECCurve = false; + int keySize = 0; + + for (int i = 0; i < params.length; i++) { + if (keyType.equals("EC")) { + if (cfgECCurves == null) { + //Use the static array as a backup if the config values are not present. + isECCurve = arrayContainsString(ecCurves, params[i]); + } else { + isECCurve = arrayContainsString(cfgECCurves, params[i]); + } + if (isECCurve == false) { //Not a valid EC curve throw exception. + keyType = ""; + keyParams = ""; + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", name)); + } + } else { + try { + keySize = Integer.parseInt(params[i]); + } catch (Exception e) { + keySize = 0; + } + if (keySize <= 0) { + keyType = ""; + keyParams = ""; + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", name)); + } + } + } + } + //Actually set the configuration in the profile + super.setConfig(CONFIG_KEY_TYPE, keyType); + super.setConfig(CONFIG_KEY_PARAMETERS, keyParams); + + //Reset the vars for next round. + keyType = ""; + keyParams = ""; + } + + private boolean arrayContainsString(String[] array, String value) { + + if (array == null || value == null) { + return false; + } + + for (int i = 0; i < array.length; i++) { + if (array[i].equals(value)) { + return true; + } + } + + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java new file mode 100644 index 000000000..927c64ec2 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/KeyUsageExtConstraint.java @@ -0,0 +1,291 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Locale; + +import netscape.security.x509.KeyUsageExtension; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.KeyUsageExtDefault; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.UserExtensionDefault; + +/** + * This class implements the key usage extension constraint. + * It checks if the key usage constraint in the certificate + * template satisfies the criteria. + * + * @version $Revision$, $Date$ + */ +public class KeyUsageExtConstraint extends EnrollConstraint { + + public static final String CONFIG_CRITICAL = "keyUsageCritical"; + public static final String CONFIG_DIGITAL_SIGNATURE = + "keyUsageDigitalSignature"; + public static final String CONFIG_NON_REPUDIATION = + "keyUsageNonRepudiation"; + public static final String CONFIG_KEY_ENCIPHERMENT = + "keyUsageKeyEncipherment"; + public static final String CONFIG_DATA_ENCIPHERMENT = + "keyUsageDataEncipherment"; + public static final String CONFIG_KEY_AGREEMENT = "keyUsageKeyAgreement"; + public static final String CONFIG_KEY_CERTSIGN = "keyUsageKeyCertSign"; + public static final String CONFIG_CRL_SIGN = "keyUsageCrlSign"; + public static final String CONFIG_ENCIPHER_ONLY = "keyUsageEncipherOnly"; + public static final String CONFIG_DECIPHER_ONLY = "keyUsageDecipherOnly"; + + public KeyUsageExtConstraint() { + super(); + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_DIGITAL_SIGNATURE); + addConfigName(CONFIG_NON_REPUDIATION); + addConfigName(CONFIG_KEY_ENCIPHERMENT); + addConfigName(CONFIG_DATA_ENCIPHERMENT); + addConfigName(CONFIG_KEY_AGREEMENT); + addConfigName(CONFIG_KEY_CERTSIGN); + addConfigName(CONFIG_CRL_SIGN); + addConfigName(CONFIG_ENCIPHER_ONLY); + addConfigName(CONFIG_DECIPHER_ONLY); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_DIGITAL_SIGNATURE)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_DIGITAL_SIGNATURE")); + } else if (name.equals(CONFIG_NON_REPUDIATION)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_NON_REPUDIATION")); + } else if (name.equals(CONFIG_KEY_ENCIPHERMENT)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_ENCIPHERMENT")); + } else if (name.equals(CONFIG_DATA_ENCIPHERMENT)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_DATA_ENCIPHERMENT")); + } else if (name.equals(CONFIG_KEY_AGREEMENT)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_AGREEMENT")); + } else if (name.equals(CONFIG_KEY_CERTSIGN)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_CERTSIGN")); + } else if (name.equals(CONFIG_CRL_SIGN)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_CRL_SIGN")); + } else if (name.equals(CONFIG_ENCIPHER_ONLY)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_ENCIPHER_ONLY")); + } else if (name.equals(CONFIG_DECIPHER_ONLY)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_DECIPHER_ONLY")); + } + return null; + } + + public boolean isSet(boolean bits[], int position) { + if (bits.length <= position) + return false; + return bits[position]; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + KeyUsageExtension ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + + if (ext == null) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + PKIXExtensions.KeyUsage_Id.toString())); + } + + boolean[] bits = ext.getBits(); + String value = getConfig(CONFIG_CRITICAL); + + if (!isOptional(value)) { + boolean critical = getBoolean(value); + + if (critical != ext.isCritical()) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + } + } + value = getConfig(CONFIG_DIGITAL_SIGNATURE); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != isSet(bits, 0)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_DIGITAL_SIGNATURE_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_NON_REPUDIATION); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != isSet(bits, 1)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_NON_REPUDIATION_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_KEY_ENCIPHERMENT); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != isSet(bits, 2)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_KEY_ENCIPHERMENT_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_DATA_ENCIPHERMENT); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != isSet(bits, 3)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_DATA_ENCIPHERMENT_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_KEY_AGREEMENT); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != isSet(bits, 4)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_KEY_AGREEMENT_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_KEY_CERTSIGN); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != isSet(bits, 5)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_KEY_CERTSIGN_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_CRL_SIGN); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != isSet(bits, 6)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CRL_SIGN_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_ENCIPHER_ONLY); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != isSet(bits, 7)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_ENCIPHER_ONLY_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_DECIPHER_ONLY); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != isSet(bits, 8)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_DECIPHER_ONLY_NOT_MATCHED", + value)); + } + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_DIGITAL_SIGNATURE), + getConfig(CONFIG_NON_REPUDIATION), + getConfig(CONFIG_KEY_ENCIPHERMENT), + getConfig(CONFIG_DATA_ENCIPHERMENT), + getConfig(CONFIG_KEY_AGREEMENT), + getConfig(CONFIG_KEY_CERTSIGN), + getConfig(CONFIG_CRL_SIGN), + getConfig(CONFIG_ENCIPHER_ONLY), + getConfig(CONFIG_DECIPHER_ONLY) + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_KEY_USAGE_EXT_TEXT", params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof KeyUsageExtDefault) + return true; + if (def instanceof UserExtensionDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java new file mode 100644 index 000000000..843360542 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java @@ -0,0 +1,243 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Locale; + +import netscape.security.extensions.NSCertTypeExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.NSCertTypeExtDefault; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.UserExtensionDefault; + +/** + * This class implements the Netscape certificate type extension constraint. + * It checks if the Netscape certificate type extension in the certificate + * template satisfies the criteria. + * + * @version $Revision$, $Date$ + */ +public class NSCertTypeExtConstraint extends EnrollConstraint { + + public static final String CONFIG_CRITICAL = "nsCertCritical"; + public static final String CONFIG_SSL_CLIENT = "nsCertSSLClient"; + public static final String CONFIG_SSL_SERVER = "nsCertSSLServer"; + public static final String CONFIG_EMAIL = "nsCertEmail"; + public static final String CONFIG_OBJECT_SIGNING = "nsCertObjectSigning"; + public static final String CONFIG_SSL_CA = "nsCertSSLCA"; + public static final String CONFIG_EMAIL_CA = "nsCertEmailCA"; + public static final String CONFIG_OBJECT_SIGNING_CA = "nsCertObjectSigningCA"; + + public NSCertTypeExtConstraint() { + super(); + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_SSL_CLIENT); + addConfigName(CONFIG_SSL_SERVER); + addConfigName(CONFIG_EMAIL); + addConfigName(CONFIG_OBJECT_SIGNING); + addConfigName(CONFIG_SSL_CA); + addConfigName(CONFIG_EMAIL_CA); + addConfigName(CONFIG_OBJECT_SIGNING_CA); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_SSL_CLIENT)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT")); + } else if (name.equals(CONFIG_SSL_SERVER)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER")); + } else if (name.equals(CONFIG_EMAIL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL")); + } else if (name.equals(CONFIG_OBJECT_SIGNING)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING")); + } else if (name.equals(CONFIG_SSL_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA")); + } else if (name.equals(CONFIG_EMAIL_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA")); + } else if (name.equals(CONFIG_OBJECT_SIGNING_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, + "CMS_PROFILE_OBJECT_SIGNING_CA")); + } + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + NSCertTypeExtension ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + + if (ext == null) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + NSCertTypeExtension.CertType_Id.toString())); + } + + String value = getConfig(CONFIG_CRITICAL); + + if (!isOptional(value)) { + boolean critical = getBoolean(value); + + if (critical != ext.isCritical()) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + } + } + value = getConfig(CONFIG_SSL_CLIENT); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(0)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SSL_CLIENT_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_SSL_SERVER); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(1)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SSL_SERVER_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_EMAIL); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(2)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EMAIL_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_OBJECT_SIGNING); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(3)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_OBJECT_SIGNING_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_SSL_CA); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(4)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SSL_CA_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_EMAIL_CA); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(5)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EMAIL_CA_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_OBJECT_SIGNING_CA); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(6)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_OBJECT_SIGNING_CA_NOT_MATCHED", + value)); + } + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_SSL_CLIENT), + getConfig(CONFIG_SSL_SERVER), + getConfig(CONFIG_EMAIL), + getConfig(CONFIG_OBJECT_SIGNING), + getConfig(CONFIG_SSL_CA), + getConfig(CONFIG_EMAIL_CA), + getConfig(CONFIG_OBJECT_SIGNING_CA) + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_NS_CERT_EXT_TEXT", params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof NSCertTypeExtDefault) + return true; + if (def instanceof UserExtensionDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java new file mode 100644 index 000000000..459e9f219 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/NoConstraint.java @@ -0,0 +1,101 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyConstraint; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements no constraint. + * + * @version $Revision$, $Date$ + */ +public class NoConstraint implements IPolicyConstraint { + + public static final String CONFIG_NAME = "name"; + + private IConfigStore mConfig = null; + private Vector mNames = new Vector(); + + public Enumeration getConfigNames() { + return mNames.elements(); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + public void setConfig(String name, String value) + throws EPropertyException { + } + + public String getConfig(String name) { + return null; + } + + public String getDefaultConfig(String name) { + return null; + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + mConfig = config; + } + + public IConfigStore getConfigStore() { + return mConfig; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request) + throws ERejectException { + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_NO_CONSTRAINT_TEXT"); + } + + public String getName(Locale locale) { + try { + return mConfig.getString(CONFIG_NAME); + } catch (EBaseException e) { + return null; + } + } + + public boolean isApplicable(IPolicyDefault def) { + return true; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java new file mode 100644 index 000000000..fb01d7d14 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java @@ -0,0 +1,165 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.math.BigInteger; +import java.util.Date; +import java.util.Locale; + +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.NoDefault; + +/** + * This class supports renewal grace period, which has two + * parameters: graceBefore and graceAfter + * + * @author Christina Fu + * @version $Revision$, $Date$ + */ +public class RenewGracePeriodConstraint extends EnrollConstraint { + + // for renewal: # of days before the orig cert expiration date + public static final String CONFIG_RENEW_GRACE_BEFORE = "renewal.graceBefore"; + // for renewal: # of days after the orig cert expiration date + public static final String CONFIG_RENEW_GRACE_AFTER = "renewal.graceAfter"; + + public RenewGracePeriodConstraint() { + super(); + addConfigName(CONFIG_RENEW_GRACE_BEFORE); + addConfigName(CONFIG_RENEW_GRACE_AFTER); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_RENEW_GRACE_BEFORE) || + name.equals(CONFIG_RENEW_GRACE_AFTER)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_RENEW_GRACE_BEFORE + " or " + CONFIG_RENEW_GRACE_AFTER)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_RENEW_GRACE_BEFORE)) { + return new Descriptor(IDescriptor.INTEGER, null, "30", + CMS.getUserMessage(locale, "CMS_PROFILE_RENEW_GRACE_BEFORE")); + } else if (name.equals(CONFIG_RENEW_GRACE_AFTER)) { + return new Descriptor(IDescriptor.INTEGER, null, "30", + CMS.getUserMessage(locale, "CMS_PROFILE_RENEW_GRACE_AFTER")); + } + return null; + } + + public void validate(IRequest req, X509CertInfo info) + throws ERejectException { + String origExpDate_s = req.getExtDataInString("origNotAfter"); + // probably not for renewal + if (origExpDate_s == null) { + return; + } else { + CMS.debug("validate RenewGracePeriod: original cert expiration date found... renewing"); + } + CMS.debug("ValidilityConstraint: validateRenewGraceperiod begins"); + BigInteger origExpDate_BI = new BigInteger(origExpDate_s); + Date origExpDate = new Date(origExpDate_BI.longValue()); + String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE); + String renew_grace_after_s = getConfig(CONFIG_RENEW_GRACE_AFTER); + int renew_grace_before = 0; + int renew_grace_after = 0; + BigInteger renew_grace_before_BI = new BigInteger(renew_grace_before_s); + BigInteger renew_grace_after_BI = new BigInteger(renew_grace_after_s); + + // -1 means no limit + if (renew_grace_before_s == "") + renew_grace_before = -1; + else + renew_grace_before = Integer.parseInt(renew_grace_before_s); + + if (renew_grace_after_s == "") + renew_grace_after = -1; + else + renew_grace_after = Integer.parseInt(renew_grace_after_s); + + if (renew_grace_before > 0) + renew_grace_before_BI = renew_grace_before_BI.multiply(BigInteger.valueOf(1000 * 86400)); + if (renew_grace_after > 0) + renew_grace_after_BI = renew_grace_after_BI.multiply(BigInteger.valueOf(1000 * 86400)); + + Date current = CMS.getCurrentDate(); + long millisDiff = origExpDate.getTime() - current.getTime(); + CMS.debug("validateRenewGracePeriod: millisDiff=" + + millisDiff + " origExpDate=" + origExpDate.getTime() + " current=" + current.getTime()); + + /* + * "days", if positive, has to be less than renew_grace_before + * "days", if negative, means already past expiration date, + * (abs value) has to be less than renew_grace_after + * if renew_grace_before or renew_grace_after are negative + * the one with negative value is ignored + */ + if (millisDiff >= 0) { + if ((renew_grace_before > 0) && (millisDiff > renew_grace_before_BI.longValue())) { + throw new ERejectException(CMS.getUserMessage(getLocale(req), + "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", + renew_grace_before + " days before and " + + renew_grace_after + " days after original cert expiration date")); + } + } else { + if ((renew_grace_after > 0) && ((0 - millisDiff) > renew_grace_after_BI.longValue())) { + throw new ERejectException(CMS.getUserMessage(getLocale(req), + "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", + renew_grace_before + " days before and " + + renew_grace_after + " days after original cert expiration date")); + } + } + } + + public String getText(Locale locale) { + String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE); + String renew_grace_after_s = getConfig(CONFIG_RENEW_GRACE_AFTER); + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT", + renew_grace_before_s + " days before and " + + renew_grace_after_s + " days after original cert expiration date"); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java new file mode 100644 index 000000000..4dbe329b3 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/SigningAlgConstraint.java @@ -0,0 +1,160 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.Vector; + +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateAlgorithmId; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.SigningAlgDefault; +import com.netscape.cms.profile.def.UserSigningAlgDefault; + +/** + * This class implements the signing algorithm constraint. + * It checks if the signing algorithm in the certificate + * template satisfies the criteria. + * + * @version $Revision$, $Date$ + */ +public class SigningAlgConstraint extends EnrollConstraint { + + public static final String CONFIG_ALGORITHMS_ALLOWED = "signingAlgsAllowed"; + + private static StringBuffer sb = new StringBuffer(""); + static { + for (int i = 0; i < AlgorithmId.ALL_SIGNING_ALGORITHMS.length; i++) { + if (i > 0) { + sb.append(","); + } + sb.append(AlgorithmId.ALL_SIGNING_ALGORITHMS[i]); + } + } + public static final String DEF_CONFIG_ALGORITHMS = new String(sb); + + public SigningAlgConstraint() { + super(); + addConfigName(CONFIG_ALGORITHMS_ALLOWED); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public void setConfig(String name, String value) + throws EPropertyException { + + if (mConfig.getSubStore("params") == null) { + CMS.debug("SigningAlgConstraint: mConfig.getSubStore is null"); + } else { + CMS.debug("SigningAlgConstraint: setConfig name=" + name + + " value=" + value); + + if (name.equals(CONFIG_ALGORITHMS_ALLOWED)) { + StringTokenizer st = new StringTokenizer(value, ","); + while (st.hasMoreTokens()) { + String v = st.nextToken(); + if (DEF_CONFIG_ALGORITHMS.indexOf(v) == -1) { + throw new EPropertyException( + CMS.getUserMessage("CMS_PROFILE_PROPERTY_ERROR", v)); + } + } + } + mConfig.getSubStore("params").putString(name, value); + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_ALGORITHMS_ALLOWED)) { + return new Descriptor(IDescriptor.STRING, null, + DEF_CONFIG_ALGORITHMS, + CMS.getUserMessage(locale, + "CMS_PROFILE_SIGNING_ALGORITHMS_ALLOWED")); + } + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + CertificateAlgorithmId algId = null; + + try { + algId = (CertificateAlgorithmId) info.get(X509CertInfo.ALGORITHM_ID); + AlgorithmId id = (AlgorithmId) + algId.get(CertificateAlgorithmId.ALGORITHM); + + Vector mCache = new Vector(); + StringTokenizer st = new StringTokenizer( + getConfig(CONFIG_ALGORITHMS_ALLOWED), ","); + + while (st.hasMoreTokens()) { + String token = st.nextToken(); + + mCache.addElement(token); + } + + if (!mCache.contains(id.toString())) { + throw new ERejectException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_SIGNING_ALGORITHM_NOT_MATCHED", id.toString())); + } + } catch (Exception e) { + if (e instanceof ERejectException) { + throw (ERejectException) e; + } + CMS.debug("SigningAlgConstraint: " + e.toString()); + throw new ERejectException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_SIGNING_ALGORITHM_NOT_FOUND")); + } + + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT", + getConfig(CONFIG_ALGORITHMS_ALLOWED)); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof UserSigningAlgDefault) + return true; + if (def instanceof SigningAlgDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java new file mode 100644 index 000000000..477e99b98 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java @@ -0,0 +1,136 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.SubjectNameDefault; +import com.netscape.cms.profile.def.UserSubjectNameDefault; + +/** + * This class implements the subject name constraint. + * It checks if the subject name in the certificate + * template satisfies the criteria. + * + * @version $Revision$, $Date$ + */ +public class SubjectNameConstraint extends EnrollConstraint { + + public static final String CONFIG_PATTERN = "pattern"; + + public SubjectNameConstraint() { + // configuration names + addConfigName(CONFIG_PATTERN); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_PATTERN)) { + return new Descriptor(IDescriptor.STRING, + null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME_PATTERN")); + } else { + return null; + } + } + + public String getDefaultConfig(String name) { + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + CMS.debug("SubjectNameConstraint: validate start"); + CertificateSubjectName sn = null; + + try { + sn = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); + CMS.debug("SubjectNameConstraint: validate cert subject =" + + sn.toString()); + } catch (Exception e) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + } + X500Name sn500 = null; + + try { + sn500 = (X500Name) sn.get(CertificateSubjectName.DN_NAME); + } catch (IOException e) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + } + if (sn500 == null) { + CMS.debug("SubjectNameConstraint: validate() - sn500 is null"); + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + } else { + CMS.debug("SubjectNameConstraint: validate() - sn500 " + + CertificateSubjectName.DN_NAME + " = " + + sn500.toString()); + } + if (!sn500.toString().matches(getConfig(CONFIG_PATTERN))) { + CMS.debug("SubjectNameConstraint: validate() - sn500 not matching pattern " + getConfig(CONFIG_PATTERN)); + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED", + sn500.toString())); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT", + getConfig(CONFIG_PATTERN)); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof SubjectNameDefault) + return true; + if (def instanceof UserSubjectNameDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java new file mode 100644 index 000000000..f10130aa6 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java @@ -0,0 +1,295 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.util.Enumeration; +import java.util.Locale; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509Key; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.dbs.certdb.ICertRecord; +import com.netscape.certsrv.dbs.certdb.ICertRecordList; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.NoDefault; + +/** + * This constraint is to check for publickey uniqueness. + * The config param "allowSameKeyRenewal" enables the + * situation where if the publickey is not unique, and if + * the subject DN is the same, that is a "renewal". + * + * Another "feature" that is quoted out of this code is the + * "revokeDupKeyCert" option, which enables the revocation + * of certs that bear the same publickey as the enrolling + * request. Since this can potentially be abused, it is taken + * out and preserved in comments to allow future refinement. + * + * @version $Revision$, $Date$ + */ +public class UniqueKeyConstraint extends EnrollConstraint { + /* + public static final String CONFIG_REVOKE_DUPKEY_CERT = + "revokeDupKeyCert"; + boolean mRevokeDupKeyCert = false; + */ + public static final String CONFIG_ALLOW_SAME_KEY_RENEWAL = + "allowSameKeyRenewal"; + boolean mAllowSameKeyRenewal = false; + public ICertificateAuthority mCA = null; + + public UniqueKeyConstraint() { + super(); + /* + addConfigName(CONFIG_REVOKE_DUPKEY_CERT); + */ + addConfigName(CONFIG_ALLOW_SAME_KEY_RENEWAL); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mCA = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + /* + if (name.equals(CONFIG_REVOKE_DUPKEY_CERT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_REVOKE_DUPKEY_CERT")); + } + */ + if (name.equals(CONFIG_ALLOW_SAME_KEY_RENEWAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL")); + } + return null; + } + + public String getDefaultConfig(String name) { + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + boolean rejected = false; + int size = 0; + ICertRecordList list; + + /* + mRevokeDupKeyCert = + getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT); + */ + mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL); + + try { + CertificateX509Key infokey = (CertificateX509Key) + info.get(X509CertInfo.KEY); + X509Key key = (X509Key) + infokey.get(CertificateX509Key.KEY); + + // check for key uniqueness + byte pub[] = key.getEncoded(); + String pub_s = escapeBinaryData(pub); + String filter = "(" + ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA + "=" + pub_s + ")"; + list = + (ICertRecordList) + mCA.getCertificateRepository().findCertRecordsInList(filter, null, 10); + size = list.getSize(); + + } catch (Exception e) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_INTERNAL_ERROR", e.toString())); + } + + /* + * It does not matter if the corresponding cert's status + * is valid or not, we don't want a key that was once + * generated before + */ + if (size > 0) { + CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key."); + + /* + The following code revokes the existing certs that have + the same public key as the one submitted for enrollment + request. However, it is not a good idea due to possible + abuse. It is therefore commented out. It is still + however still maintained for possible utilization at later + time + + // if configured to revoke duplicated key + // revoke cert + if (mRevokeDupKeyCert) { + try { + Enumeration e = list.getCertRecords(0, size-1); + while (e != null && e.hasMoreElements()) { + ICertRecord rec = (ICertRecord) e.nextElement(); + X509CertImpl cert = rec.getCertificate(); + + // revoke the cert + BigInteger serialNum = cert.getSerialNumber(); + ICAService service = (ICAService) mCA.getCAService(); + + RevokedCertImpl crlEntry = + formCRLEntry(serialNum, RevocationReason.KEY_COMPROMISE); + service.revokeCert(crlEntry); + CMS.debug("UniqueKeyConstraint: certificate with duplicate publickey revoked successfully"); + } + } catch (Exception ex) { + CMS.debug("UniqueKeyConstraint: error in revoke dupkey cert"); + } + } // revoke dupkey cert turned on + */ + + if (mAllowSameKeyRenewal == true) { + X500Name sjname_in_db = null; + X500Name sjname_in_req = null; + + try { + // get subject of request + CertificateSubjectName subName = + (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); + + if (subName != null) { + + sjname_in_req = + (X500Name) subName.get(CertificateSubjectName.DN_NAME); + CMS.debug("UniqueKeyConstraint: cert request subject DN =" + sjname_in_req.toString()); + Enumeration e = list.getCertRecords(0, size - 1); + while (e != null && e.hasMoreElements()) { + ICertRecord rec = e.nextElement(); + X509CertImpl cert = rec.getCertificate(); + String certDN = + cert.getSubjectDN().toString(); + CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN =" + certDN); + + sjname_in_db = new X500Name(certDN); + + if (sjname_in_db.equals(sjname_in_req) == false) { + rejected = true; + break; + } else { + rejected = false; + } + } // while + } else { //subName is null + rejected = true; + } + } catch (Exception ex1) { + CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: " + ex1.toString()); + rejected = true; + } // try + + } else { + rejected = true; + }// allowSameKeyRenewal + } // (size > 0) + + if (rejected == true) { + CMS.debug("UniqueKeyConstraint: rejected"); + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_DUPLICATE_KEY")); + } else { + CMS.debug("UniqueKeyConstraint: approved"); + } + } + + /** + * make a CRL entry from a serial number and revocation reason. + * + * @return a RevokedCertImpl that can be entered in a CRL. + * + * protected RevokedCertImpl formCRLEntry( + * BigInteger serialNo, RevocationReason reason) + * throws EBaseException { + * CRLReasonExtension reasonExt = new CRLReasonExtension(reason); + * CRLExtensions crlentryexts = new CRLExtensions(); + * + * try { + * crlentryexts.set(CRLReasonExtension.NAME, reasonExt); + * } catch (IOException e) { + * CMS.debug("CMSGW_ERR_CRL_REASON "+e.toString()); + * + * // throw new ECMSGWException( + * // CMS.getLogMessage("CMSGW_ERROR_SETTING_CRLREASON")); + * + * } + * RevokedCertImpl crlentry = + * new RevokedCertImpl(serialNo, CMS.getCurrentDate(), + * crlentryexts); + * + * return crlentry; + * } + */ + + public String getText(Locale locale) { + String params[] = { + /* + getConfig(CONFIG_REVOKE_DUPKEY_CERT), + */ + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_ALLOW_SAME_KEY_RENEWAL_TEXT", params); + } + + public static String escapeBinaryData(byte data[]) { + StringBuffer sb = new StringBuffer(); + + for (int i = 0; i < data.length; i++) { + int v = 0xff & data[i]; + sb.append("\\"); + sb.append((v < 16 ? "0" : "")); + sb.append(Integer.toHexString(v)); + } + return sb.toString(); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof UniqueKeyConstraint) + return true; + + return false; + } + +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java new file mode 100644 index 000000000..7a985b631 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java @@ -0,0 +1,251 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; + +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.CRLReasonExtension; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.Extension; +import netscape.security.x509.KeyUsageExtension; +import netscape.security.x509.RevocationReason; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.dbs.certdb.ICertRecord; +import com.netscape.certsrv.dbs.certdb.ICertificateRepository; +import com.netscape.certsrv.dbs.certdb.IRevocationInfo; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.SubjectNameDefault; +import com.netscape.cms.profile.def.UserSubjectNameDefault; + +/** + * This class implements the unique subject name constraint. + * It checks if the subject name in the certificate is + * unique in the internal database, ie, no two certificates + * have the same subject name. + * + * @version $Revision$, $Date$ + */ +public class UniqueSubjectNameConstraint extends EnrollConstraint { + + public static final String CONFIG_KEY_USAGE_EXTENSION_CHECKING = + "enableKeyUsageExtensionChecking"; + private boolean mKeyUsageExtensionChecking = true; + + public UniqueSubjectNameConstraint() { + addConfigName(CONFIG_KEY_USAGE_EXTENSION_CHECKING); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_KEY_USAGE_EXTENSION_CHECKING)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "true", + CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING")); + } + return null; + } + + public String getDefaultConfig(String name) { + return null; + } + + /** + * Checks if the key extension in the issued certificate + * is the same as the one in the certificate template. + */ + private boolean sameKeyUsageExtension(ICertRecord rec, + X509CertInfo certInfo) { + X509CertImpl impl = rec.getCertificate(); + boolean bits[] = impl.getKeyUsage(); + + CertificateExtensions extensions = null; + + try { + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); + } catch (IOException e) { + } catch (java.security.cert.CertificateException e) { + } + KeyUsageExtension ext = null; + + if (extensions == null) { + if (bits != null) + return false; + } else { + try { + ext = (KeyUsageExtension) extensions.get( + KeyUsageExtension.NAME); + } catch (IOException e) { + // extension isn't there. + } + + if (ext == null) { + if (bits != null) + return false; + } else { + boolean[] InfoBits = ext.getBits(); + + if (InfoBits == null) { + if (bits != null) + return false; + } else { + if (bits == null) + return false; + if (InfoBits.length != bits.length) { + return false; + } + for (int i = 0; i < InfoBits.length; i++) { + if (InfoBits[i] != bits[i]) + return false; + } + } + } + } + return true; + } + + /** + * Validates the request. The request is not modified + * during the validation. + * + * Rules are as follows: + * If the subject name is not unique, then the request will be rejected unless: + * 1. the certificate is expired or expired_revoked + * 2. the certificate is revoked and the revocation reason is not "on hold" + * 3. the keyUsageExtension bits are different and enableKeyUsageExtensionChecking=true (default) + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + CMS.debug("UniqueSubjectNameConstraint: validate start"); + CertificateSubjectName sn = null; + IAuthority authority = (IAuthority) CMS.getSubsystem("ca"); + + mKeyUsageExtensionChecking = getConfigBoolean(CONFIG_KEY_USAGE_EXTENSION_CHECKING); + ICertificateRepository certdb = null; + if (authority != null && authority instanceof ICertificateAuthority) { + ICertificateAuthority ca = (ICertificateAuthority) authority; + certdb = ca.getCertificateRepository(); + } + + try { + sn = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); + } catch (Exception e) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + } + + String certsubjectname = null; + if (sn == null) + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + else { + certsubjectname = sn.toString(); + String filter = "x509Cert.subject=" + certsubjectname; + Enumeration sameSubjRecords = null; + try { + sameSubjRecords = certdb.findCertRecords(filter); + } catch (EBaseException e) { + CMS.debug("UniqueSubjectNameConstraint exception: " + e.toString()); + } + while (sameSubjRecords != null && sameSubjRecords.hasMoreElements()) { + ICertRecord rec = sameSubjRecords.nextElement(); + String status = rec.getStatus(); + + IRevocationInfo revocationInfo = rec.getRevocationInfo(); + RevocationReason reason = null; + + if (revocationInfo != null) { + CRLExtensions crlExts = revocationInfo.getCRLEntryExtensions(); + + if (crlExts != null) { + Enumeration enumx = crlExts.getElements(); + + while (enumx.hasMoreElements()) { + Extension ext = enumx.nextElement(); + + if (ext instanceof CRLReasonExtension) { + reason = ((CRLReasonExtension) ext).getReason(); + } + } + } + } + + if (status.equals(ICertRecord.STATUS_EXPIRED) || status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + continue; + } + + if (status.equals(ICertRecord.STATUS_REVOKED) && reason != null && + (!reason.equals(RevocationReason.CERTIFICATE_HOLD))) { + continue; + } + + if (mKeyUsageExtensionChecking && !sameKeyUsageExtension(rec, info)) { + continue; + } + + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_UNIQUE", + certsubjectname)); + } + } + CMS.debug("UniqueSubjectNameConstraint: validate end"); + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_KEY_USAGE_EXTENSION_CHECKING) + }; + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT", + params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof SubjectNameDefault) + return true; + if (def instanceof UserSubjectNameDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java new file mode 100644 index 000000000..98a7b4f96 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java @@ -0,0 +1,218 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + +import java.io.IOException; +import java.util.Date; +import java.util.Locale; + +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ERejectException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.def.CAValidityDefault; +import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.UserValidityDefault; +import com.netscape.cms.profile.def.ValidityDefault; + +/** + * This class implements the validity constraint. + * It checks if the validity in the certificate + * template satisfies the criteria. + * + * @version $Revision$, $Date$ + */ +public class ValidityConstraint extends EnrollConstraint { + + public static final String CONFIG_RANGE = "range"; + public static final String CONFIG_NOT_BEFORE_GRACE_PERIOD = "notBeforeGracePeriod"; + public static final String CONFIG_CHECK_NOT_BEFORE = "notBeforeCheck"; + public static final String CONFIG_CHECK_NOT_AFTER = "notAfterCheck"; + public final static long SECS_IN_MS = 1000L; + + private Date mDefNotBefore = null; + private Date mDefNotAfter = null; + + public ValidityConstraint() { + super(); + addConfigName(CONFIG_RANGE); + addConfigName(CONFIG_NOT_BEFORE_GRACE_PERIOD); + addConfigName(CONFIG_CHECK_NOT_BEFORE); + addConfigName(CONFIG_CHECK_NOT_AFTER); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_RANGE) || + name.equals(CONFIG_NOT_BEFORE_GRACE_PERIOD)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", name)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_RANGE)) { + return new Descriptor(IDescriptor.INTEGER, null, "365", + CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE")); + } else if (name.equals(CONFIG_NOT_BEFORE_GRACE_PERIOD)) { + return new Descriptor(IDescriptor.INTEGER, null, "0", + CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD")); + } else if (name.equals(CONFIG_CHECK_NOT_BEFORE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "false", + CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_CHECK_NOT_BEFORE")); + } else if (name.equals(CONFIG_CHECK_NOT_AFTER)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "false", + CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_CHECK_NOT_AFTER")); + } + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + CertificateValidity v = null; + + try { + v = (CertificateValidity) info.get(X509CertInfo.VALIDITY); + } catch (Exception e) { + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_VALIDITY_NOT_FOUND")); + } + Date notBefore = null; + + try { + notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE); + } catch (IOException e) { + CMS.debug("ValidityConstraint: not before not found"); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_VALIDITY_NOT_FOUND")); + } + Date notAfter = null; + + try { + notAfter = (Date) v.get(CertificateValidity.NOT_AFTER); + } catch (IOException e) { + CMS.debug("ValidityConstraint: not after not found"); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_VALIDITY_NOT_FOUND")); + } + + if (notAfter.getTime() < notBefore.getTime()) { + CMS.debug("ValidityConstraint: notAfter (" + notAfter + ") < notBefore (" + notBefore + ")"); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_NOT_AFTER_BEFORE_NOT_BEFORE")); + } + + long millisDiff = notAfter.getTime() - notBefore.getTime(); + CMS.debug("ValidityConstraint: millisDiff=" + + millisDiff + " notAfter=" + notAfter.getTime() + " notBefore=" + notBefore.getTime()); + long long_days = (millisDiff / 1000) / 86400; + CMS.debug("ValidityConstraint: long_days: " + long_days); + int days = (int) long_days; + CMS.debug("ValidityConstraint: days: " + days); + + if (days > Integer.parseInt(getConfig(CONFIG_RANGE))) { + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_VALIDITY_OUT_OF_RANGE", + Integer.toString(days))); + } + + // 613828 + // The validity field shall specify a notBefore value + // that does not precede the current time and a notAfter + // value that does not precede the value specified in + // notBefore (test can be automated; try entering violating + // time values and check result). + String notBeforeCheckStr = getConfig(CONFIG_CHECK_NOT_BEFORE); + boolean notBeforeCheck; + + if (notBeforeCheckStr == null || notBeforeCheckStr.equals("")) { + notBeforeCheckStr = "false"; + } + notBeforeCheck = Boolean.valueOf(notBeforeCheckStr).booleanValue(); + + String notAfterCheckStr = getConfig(CONFIG_CHECK_NOT_AFTER); + boolean notAfterCheck; + + if (notAfterCheckStr == null || notAfterCheckStr.equals("")) { + notAfterCheckStr = "false"; + } + notAfterCheck = Boolean.valueOf(notAfterCheckStr).booleanValue(); + + String notBeforeGracePeriodStr = getConfig(CONFIG_NOT_BEFORE_GRACE_PERIOD); + if (notBeforeGracePeriodStr == null || notBeforeGracePeriodStr.equals("")) { + notBeforeGracePeriodStr = "0"; + } + long notBeforeGracePeriod = Long.parseLong(notBeforeGracePeriodStr) * SECS_IN_MS; + + Date current = CMS.getCurrentDate(); + if (notBeforeCheck) { + if (notBefore.getTime() > (current.getTime() + notBeforeGracePeriod)) { + CMS.debug("ValidityConstraint: notBefore (" + notBefore + ") > current + " + + "gracePeriod (" + new Date(current.getTime() + notBeforeGracePeriod) + ")"); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_NOT_BEFORE_AFTER_CURRENT")); + } + } + if (notAfterCheck) { + if (notAfter.getTime() < current.getTime()) { + CMS.debug("ValidityConstraint: notAfter (" + notAfter + ") < current + (" + current + ")"); + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_NOT_AFTER_BEFORE_CURRENT")); + } + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT", getConfig(CONFIG_RANGE)); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof UserValidityDefault) + return true; + if (def instanceof ValidityDefault) + return true; + if (def instanceof CAValidityDefault) + return true; + return false; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java b/base/common/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java new file mode 100644 index 000000000..4e4f951f7 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java @@ -0,0 +1,454 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.extensions.AccessDescription; +import netscape.security.extensions.AuthInfoAccessExtension; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.GeneralName; +import netscape.security.x509.GeneralNameInterface; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates Authuority Info Access extension. + * + * @version $Revision$, $Date$ + */ +public class AuthInfoAccessExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "authInfoAccessCritical"; + public static final String CONFIG_NUM_ADS = "authInfoAccessNumADs"; + public static final String CONFIG_AD_ENABLE = "authInfoAccessADEnable_"; + public static final String CONFIG_AD_METHOD = "authInfoAccessADMethod_"; + public static final String CONFIG_AD_LOCATIONTYPE = "authInfoAccessADLocationType_"; + public static final String CONFIG_AD_LOCATION = "authInfoAccessADLocation_"; + + public static final String VAL_CRITICAL = "authInfoAccessCritical"; + public static final String VAL_GENERAL_NAMES = "authInfoAccessGeneralNames"; + + private static final String AD_METHOD = "Method"; + private static final String AD_LOCATION_TYPE = "Location Type"; + private static final String AD_LOCATION = "Location"; + private static final String AD_ENABLE = "Enable"; + + private static final int DEF_NUM_AD = 1; + private static final int MAX_NUM_AD = 100; + + public AuthInfoAccessExtDefault() { + super(); + } + + protected int getNumAds() { + int num = DEF_NUM_AD; + String numAds = getConfig(CONFIG_NUM_ADS); + + if (numAds != null) { + try { + num = Integer.parseInt(numAds); + } catch (NumberFormatException e) { + // ignore + } + } + + if (num > MAX_NUM_AD) { + num = DEF_NUM_AD; + } + + return num; + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + refreshConfigAndValueNames(); + } + + public void setConfig(String name, String value) + throws EPropertyException { + int num = 0; + if (name.equals(CONFIG_NUM_ADS)) { + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_AD || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_ADS)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_ADS)); + } + } + super.setConfig(name, value); + } + + public Enumeration getConfigNames() { + refreshConfigAndValueNames(); + return super.getConfigNames(); + } + + protected void refreshConfigAndValueNames() { + //refesh our config name list + + super.refreshConfigAndValueNames(); + mConfigNames.removeAllElements(); + addValueName(VAL_CRITICAL); + addValueName(VAL_GENERAL_NAMES); + + // register configuration names bases on num ads + addConfigName(CONFIG_CRITICAL); + int num = getNumAds(); + + addConfigName(CONFIG_NUM_ADS); + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_AD_METHOD + i); + addConfigName(CONFIG_AD_LOCATIONTYPE + i); + addConfigName(CONFIG_AD_LOCATION + i); + addConfigName(CONFIG_AD_ENABLE + i); + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.startsWith(CONFIG_AD_METHOD)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_AD_METHOD")); + } else if (name.startsWith(CONFIG_AD_LOCATIONTYPE)) { + return new Descriptor(IDescriptor.CHOICE, + "RFC822Name,DNSName,DirectoryName,EDIPartyName,URIName,IPAddress,OIDName", + "URIName", + CMS.getUserMessage(locale, "CMS_PROFILE_AD_LOCATIONTYPE")); + } else if (name.startsWith(CONFIG_AD_LOCATION)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_AD_LOCATION")); + } else if (name.startsWith(CONFIG_AD_ENABLE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_AD_ENABLE")); + } else if (name.startsWith(CONFIG_NUM_ADS)) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_ADS")); + } + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_GENERAL_NAMES)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_GENERAL_NAMES")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + AuthInfoAccessExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + AuthInfoAccessExtension a = new AuthInfoAccessExtension(false); + ObjectIdentifier oid = a.getExtensionId(); + + ext = (AuthInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + + ext = (AuthInfoAccessExtension) + getExtension(oid.toString(), info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_GENERAL_NAMES)) { + + ext = (AuthInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + return; + } + boolean critical = ext.isCritical(); + + Vector v = parseRecords(value); + int size = v.size(); + + ext = new AuthInfoAccessExtension(critical); + String method = null; + String locationType = null; + String location = null; + String enable = null; + + for (int i = 0; i < size; i++) { + NameValuePairs nvps = v.elementAt(i); + + for (String name1 : nvps.keySet()) { + + if (name1.equals(AD_METHOD)) { + method = nvps.get(name1); + } else if (name1.equals(AD_LOCATION_TYPE)) { + locationType = nvps.get(name1); + } else if (name1.equals(AD_LOCATION)) { + location = nvps.get(name1); + } else if (name1.equals(AD_ENABLE)) { + enable = nvps.get(name1); + } + } + + if (enable != null && enable.equals("true")) { + GeneralName gn = null; + + if (locationType != null || location != null) { + GeneralNameInterface interface1 = parseGeneralName(locationType + ":" + location); + if (interface1 == null) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", locationType)); + gn = new GeneralName(interface1); + } + + if (method != null) { + try { + ext.addAccessDescription(new ObjectIdentifier(method), gn); + } catch (NumberFormatException ee) { + CMS.debug("AuthInfoAccessExtDefault: " + ee.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_PROFILE_DEF_AIA_OID", method)); + } + } + } + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(ext.getExtensionId().toString(), ext, info); + } catch (IOException e) { + CMS.debug("AuthInfoAccessExtDefault: " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (EProfileException e) { + CMS.debug("AuthInfoAccessExtDefault: " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + AuthInfoAccessExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + AuthInfoAccessExtension a = new AuthInfoAccessExtension(false); + ObjectIdentifier oid = a.getExtensionId(); + + ext = (AuthInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + CMS.debug("AuthInfoAccessExtDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + if (name.equals(VAL_CRITICAL)) { + + ext = (AuthInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_GENERAL_NAMES)) { + + ext = (AuthInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) + return ""; + + int num = getNumAds(); + + CMS.debug("AuthInfoAccess num=" + num); + Vector recs = new Vector(); + + for (int i = 0; i < num; i++) { + NameValuePairs np = new NameValuePairs(); + AccessDescription des = null; + + if (i < ext.numberOfAccessDescription()) { + des = ext.getAccessDescription(i); + } + if (des == null) { + np.put(AD_METHOD, ""); + np.put(AD_LOCATION_TYPE, ""); + np.put(AD_LOCATION, ""); + np.put(AD_ENABLE, "false"); + } else { + ObjectIdentifier methodOid = des.getMethod(); + GeneralName gn = des.getLocation(); + + np.put(AD_METHOD, methodOid.toString()); + np.put(AD_LOCATION_TYPE, getGeneralNameType(gn)); + np.put(AD_LOCATION, getGeneralNameValue(gn)); + np.put(AD_ENABLE, "true"); + } + recs.addElement(np); + } + + return buildRecords(recs); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + StringBuffer ads = new StringBuffer(); + int num = getNumAds(); + + for (int i = 0; i < num; i++) { + ads.append("Record #"); + ads.append(i); + ads.append("{"); + ads.append(AD_METHOD + ":"); + ads.append(getConfig(CONFIG_AD_METHOD + i)); + ads.append(","); + ads.append(AD_LOCATION_TYPE + ":"); + ads.append(getConfig(CONFIG_AD_LOCATIONTYPE + i)); + ads.append(","); + ads.append(AD_LOCATION + ":"); + ads.append(getConfig(CONFIG_AD_LOCATION + i)); + ads.append(","); + ads.append(AD_ENABLE + ":"); + ads.append(getConfig(CONFIG_AD_ENABLE + i)); + ads.append("}"); + } + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_AIA_TEXT", + getConfig(CONFIG_CRITICAL), ads.toString()); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + AuthInfoAccessExtension ext = createExtension(); + + addExtension(ext.getExtensionId().toString(), ext, info); + } + + public AuthInfoAccessExtension createExtension() { + AuthInfoAccessExtension ext = null; + int num = getNumAds(); + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + ext = new AuthInfoAccessExtension(critical); + for (int i = 0; i < num; i++) { + String enable = getConfig(CONFIG_AD_ENABLE + i); + if (enable != null && enable.equals("true")) { + CMS.debug("AuthInfoAccess: createExtension i=" + i); + String method = getConfig(CONFIG_AD_METHOD + i); + String locationType = getConfig(CONFIG_AD_LOCATIONTYPE + i); + if (locationType == null || locationType.length() == 0) + locationType = "URIName"; + String location = getConfig(CONFIG_AD_LOCATION + i); + + if (location == null || location.equals("")) { + if (method.equals("1.3.6.1.5.5.7.48.1")) { + String hostname = CMS.getEENonSSLHost(); + String port = CMS.getEENonSSLPort(); + if (hostname != null && port != null) + // location = "http://"+hostname+":"+port+"/ocsp/ee/ocsp"; + location = "http://" + hostname + ":" + port + "/ca/ocsp"; + } + } + + String s = locationType + ":" + location; + GeneralNameInterface gn = parseGeneralName(s); + if (gn != null) { + ext.addAccessDescription(new ObjectIdentifier(method), + new GeneralName(gn)); + } + } + } + } catch (Exception e) { + CMS.debug("AuthInfoAccessExtDefault: createExtension " + + e.toString()); + } + + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java new file mode 100644 index 000000000..6c0f6e9fc --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java @@ -0,0 +1,152 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileAuthenticator; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy that + * populates subject name based on the attribute values + * in the authentication token (AuthToken) object. + * + * @version $Revision$, $Date$ + */ +public class AuthTokenSubjectNameDefault extends EnrollDefault { + + public static final String VAL_NAME = "name"; + + public AuthTokenSubjectNameDefault() { + super(); + addValueName(VAL_NAME); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NAME)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + CMS.debug("AuthTokenSubjectNameDefault: begins"); + if (name == null) { + throw new EPropertyException(CMS.getUserMessage(locale, + "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + X500Name x500name = null; + + try { + x500name = new X500Name(value); + CMS.debug("AuthTokenSubjectNameDefault: setValue x500name=" + x500name.toString()); + } catch (IOException e) { + CMS.debug("AuthTokenSubjectNameDefault: setValue " + + e.toString()); + // failed to build x500 name + } + CMS.debug("AuthTokenSubjectNameDefault: setValue name=" + x500name.toString()); + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(x500name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("AuthTokenSubjectNameDefault: setValue " + + e.toString()); + } + } else { + throw new EPropertyException(CMS.getUserMessage(locale, + "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) + throw new EPropertyException("Invalid name " + name); + if (name.equals(VAL_NAME)) { + CertificateSubjectName sn = null; + + try { + sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + return sn.toString(); + } catch (Exception e) { + // nothing + CMS.debug("AuthTokenSubjectNameDefault: getValue " + + e.toString()); + } + throw new EPropertyException(CMS.getUserMessage(locale, + "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage(locale, + "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, + "CMS_PROFILE_DEF_AUTHTOKEN_SUBJECT_NAME"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + + // authenticate the subject name and populate it + // to the certinfo + try { + X500Name name = new X500Name( + request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME)); + + CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString()); + info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("AuthTokenSubjectNameDefault: " + e.toString()); + throw new EProfileException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/common/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java new file mode 100644 index 000000000..6ec75990c --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java @@ -0,0 +1,190 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.AuthorityKeyIdentifierExtension; +import netscape.security.x509.KeyIdentifier; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates Authority Key Identifier extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault { + + public static final String VAL_CRITICAL = "critical"; + public static final String VAL_KEY_ID = "keyid"; + + public AuthorityKeyIdentifierExtDefault() { + super(); + + addValueName(VAL_CRITICAL); + addValueName(VAL_KEY_ID); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, null, CMS.getUserMessage(locale, + "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_KEY_ID)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, null, CMS.getUserMessage(locale, + "CMS_PROFILE_KEY_ID")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_CRITICAL)) { + // do nothing for read only value + } else if (name.equals(VAL_KEY_ID)) { + // do nothing for read only value + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + AuthorityKeyIdentifierExtension ext = + (AuthorityKeyIdentifierExtension) getExtension( + PKIXExtensions.AuthorityKey_Id.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + CMS.debug("BasicConstraintsExtDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + if (name.equals(VAL_CRITICAL)) { + ext = + (AuthorityKeyIdentifierExtension) getExtension( + PKIXExtensions.AuthorityKey_Id.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_KEY_ID)) { + ext = + (AuthorityKeyIdentifierExtension) getExtension( + PKIXExtensions.AuthorityKey_Id.toString(), info); + + if (ext == null) { + // do something here + return ""; + } + KeyIdentifier kid = null; + + try { + kid = (KeyIdentifier) + ext.get(AuthorityKeyIdentifierExtension.KEY_ID); + } catch (IOException e) { + // + CMS.debug(e.toString()); + } + if (kid == null) + return ""; + return toHexString(kid.getIdentifier()); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_AKI_EXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + AuthorityKeyIdentifierExtension ext = createExtension(info); + + addExtension(PKIXExtensions.AuthorityKey_Id.toString(), ext, info); + } + + public AuthorityKeyIdentifierExtension createExtension(X509CertInfo info) { + KeyIdentifier kid = null; + String localKey = getConfig("localKey"); + if (localKey != null && localKey.equals("true")) { + kid = getKeyIdentifier(info); + } else { + kid = getCAKeyIdentifier(); + } + + if (kid == null) + return null; + AuthorityKeyIdentifierExtension ext = null; + + try { + ext = new AuthorityKeyIdentifierExtension(false, kid, null, null); + } catch (IOException e) { + CMS.debug("AuthorityKeyIdentifierExtDefault: createExtension " + + e.toString()); + } + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/AutoAssignDefault.java b/base/common/src/com/netscape/cms/profile/def/AutoAssignDefault.java new file mode 100644 index 000000000..043cf029b --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/AutoAssignDefault.java @@ -0,0 +1,96 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.util.Locale; + +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that automatically assign request to agent. + * + * @version $Revision$, $Date$ + */ +public class AutoAssignDefault extends EnrollDefault { + + public static final String CONFIG_ASSIGN_TO = "assignTo"; + + public AutoAssignDefault() { + super(); + addConfigName(CONFIG_ASSIGN_TO); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_ASSIGN_TO)) { + return new Descriptor(IDescriptor.STRING, + null, "admin", CMS.getUserMessage(locale, + "CMS_PROFILE_AUTO_ASSIGN")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + return null; + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + return null; + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_AUTO_ASSIGN", + getConfig(CONFIG_ASSIGN_TO)); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + try { + request.setRequestOwner( + mapPattern(request, getConfig(CONFIG_ASSIGN_TO))); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("AutoAssignDefault: populate " + e.toString()); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/BasicConstraintsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/BasicConstraintsExtDefault.java new file mode 100644 index 000000000..c442bf576 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/BasicConstraintsExtDefault.java @@ -0,0 +1,297 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.BasicConstraintsExtension; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates Basic Constraint extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class BasicConstraintsExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "basicConstraintsCritical"; + public static final String CONFIG_IS_CA = "basicConstraintsIsCA"; + public static final String CONFIG_PATH_LEN = "basicConstraintsPathLen"; + + public static final String VAL_CRITICAL = "basicConstraintsCritical"; + public static final String VAL_IS_CA = "basicConstraintsIsCA"; + public static final String VAL_PATH_LEN = "basicConstraintsPathLen"; + + public BasicConstraintsExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_IS_CA); + addValueName(VAL_PATH_LEN); + + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_IS_CA); + addConfigName(CONFIG_PATH_LEN); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_IS_CA)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_IS_CA")); + } else if (name.equals(CONFIG_PATH_LEN)) { + return new Descriptor(IDescriptor.INTEGER, null, + "-1", + CMS.getUserMessage(locale, "CMS_PROFILE_PATH_LEN")); + } + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_IS_CA)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_IS_CA")); + } else if (name.equals(VAL_PATH_LEN)) { + return new Descriptor(IDescriptor.INTEGER, null, + "-1", + CMS.getUserMessage(locale, "CMS_PROFILE_PATH_LEN")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + BasicConstraintsExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + + ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_IS_CA)) { + ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + if (ext == null) { + return; + } + Boolean isCA = Boolean.valueOf(value); + + ext.set(BasicConstraintsExtension.IS_CA, isCA); + } else if (name.equals(VAL_PATH_LEN)) { + ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + + if (ext == null) { + return; + } + Integer pathLen = Integer.valueOf(value); + + ext.set(BasicConstraintsExtension.PATH_LEN, pathLen); + } else { + throw new EPropertyException("Invalid name " + name); + } + replaceExtension(PKIXExtensions.BasicConstraints_Id.toString(), + ext, info); + } catch (IOException e) { + CMS.debug("BasicConstraintsExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (EProfileException e) { + CMS.debug("BasicConstraintsExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + try { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + BasicConstraintsExtension ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + + if (ext == null) { + CMS.debug("BasicConstraintsExtDefault: getValue ext is null, populating a new one "); + + try { + populate(null, info); + + } catch (EProfileException e) { + CMS.debug("BasicConstraintsExtDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_IS_CA)) { + ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + + if (ext == null) { + return null; + } + Boolean isCA = (Boolean) ext.get(BasicConstraintsExtension.IS_CA); + + return isCA.toString(); + } else if (name.equals(VAL_PATH_LEN)) { + ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + + if (ext == null) { + return null; + } + Integer pathLen = (Integer) + ext.get(BasicConstraintsExtension.PATH_LEN); + + String pLen = null; + + pLen = pathLen.toString(); + if (pLen.equals("-2")) { + //This is done for bug 621700. Profile constraints actually checks for -1 + //The low level security class for some reason sets this to -2 + //This will allow the request to be approved successfuly by the agent. + + pLen = "-1"; + + } + + CMS.debug("BasicConstriantsExtDefault getValue(pLen) " + pLen); + + return pLen; + + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } catch (IOException e) { + CMS.debug("BasicConstraintsExtDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_IS_CA), + getConfig(CONFIG_PATH_LEN) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_BASIC_CONSTRAINTS_EXT", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + BasicConstraintsExtension ext = createExtension(); + + addExtension(PKIXExtensions.BasicConstraints_Id.toString(), ext, + info); + } + + public BasicConstraintsExtension createExtension() { + BasicConstraintsExtension ext = null; + + boolean critical = Boolean.valueOf(getConfig(CONFIG_CRITICAL)).booleanValue(); + boolean isCA = Boolean.valueOf(getConfig(CONFIG_IS_CA)).booleanValue(); + String pathLenStr = getConfig(CONFIG_PATH_LEN); + + int pathLen = -2; + + if (!pathLenStr.equals("")) { + + pathLen = Integer.valueOf(pathLenStr).intValue(); + } + + try { + ext = new BasicConstraintsExtension(isCA, critical, pathLen); + } catch (Exception e) { + CMS.debug("BasicConstraintsExtDefault: createExtension " + + e.toString()); + return null; + } + ext.setCritical(critical); + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/common/src/com/netscape/cms/profile/def/CAEnrollDefault.java new file mode 100644 index 000000000..872e32960 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/CAEnrollDefault.java @@ -0,0 +1,106 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; + +import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.KeyIdentifier; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.SubjectKeyIdentifierExtension; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509Key; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.ca.ICertificateAuthority; + +/** + * This class implements an abstract CA specific + * Enrollment default. This policy can only be + * used with CA subsystem. + * + * @version $Revision$, $Date$ + */ +public abstract class CAEnrollDefault extends EnrollDefault { + public CAEnrollDefault() { + } + + public KeyIdentifier getKeyIdentifier(X509CertInfo info) { + try { + CertificateX509Key ckey = (CertificateX509Key) + info.get(X509CertInfo.KEY); + X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY); + MessageDigest md = MessageDigest.getInstance("SHA-1"); + + md.update(key.getKey()); + byte[] hash = md.digest(); + + return new KeyIdentifier(hash); + } catch (IOException e) { + CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + + e.toString()); + } catch (CertificateException e) { + CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + + e.toString()); + } catch (NoSuchAlgorithmException e) { + CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + + e.toString()); + } + return null; + } + + public KeyIdentifier getCAKeyIdentifier() { + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + X509CertImpl caCert = ca.getCACert(); + if (caCert == null) { + // during configuration, we dont have the CA certificate + return null; + } + X509Key key = (X509Key) caCert.getPublicKey(); + + SubjectKeyIdentifierExtension subjKeyIdExt = + (SubjectKeyIdentifierExtension) + caCert.getExtension(PKIXExtensions.SubjectKey_Id.toString()); + if (subjKeyIdExt != null) { + try { + KeyIdentifier keyId = (KeyIdentifier) subjKeyIdExt.get( + SubjectKeyIdentifierExtension.KEY_ID); + return keyId; + } catch (IOException e) { + } + } + + try { + MessageDigest md = MessageDigest.getInstance("SHA-1"); + + md.update(key.getKey()); + byte[] hash = md.digest(); + + return new KeyIdentifier(hash); + } catch (NoSuchAlgorithmException e) { + CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " + + e.toString()); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java new file mode 100644 index 000000000..e3b834ce5 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java @@ -0,0 +1,348 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.text.ParsePosition; +import java.text.SimpleDateFormat; +import java.util.Date; +import java.util.Locale; + +import netscape.security.x509.BasicConstraintsExtension; +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements a CA signing cert enrollment default policy + * that populates a server-side configurable validity + * into the certificate template. + * It allows an agent to bypass the CA's signing cert's expiration constraint + */ +public class CAValidityDefault extends EnrollDefault { + public static final String CONFIG_RANGE = "range"; + public static final String CONFIG_START_TIME = "startTime"; + public static final String CONFIG_BYPASS_CA_NOTAFTER = "bypassCAnotafter"; + + public static final String VAL_NOT_BEFORE = "notBefore"; + public static final String VAL_NOT_AFTER = "notAfter"; + public static final String VAL_BYPASS_CA_NOTAFTER = "bypassCAnotafter"; + + public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss"; + + private long mDefault = 86400000; // 1 days + public ICertificateAuthority mCA = null; + + public CAValidityDefault() { + super(); + addConfigName(CONFIG_RANGE); + addConfigName(CONFIG_START_TIME); + addConfigName(CONFIG_BYPASS_CA_NOTAFTER); + + addValueName(VAL_NOT_BEFORE); + addValueName(VAL_NOT_AFTER); + addValueName(VAL_BYPASS_CA_NOTAFTER); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mCA = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_RANGE)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + } else if (name.equals(CONFIG_START_TIME)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_START_TIME)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_RANGE)) { + return new Descriptor(IDescriptor.STRING, + null, + "2922", /* 8 years */ + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_RANGE")); + } else if (name.equals(CONFIG_START_TIME)) { + return new Descriptor(IDescriptor.STRING, + null, + "60", /* 1 minute */ + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_START_TIME")); + } else if (name.equals(CONFIG_BYPASS_CA_NOTAFTER)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_BYPASS_CA_NOTAFTER")); + + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NOT_BEFORE)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE")); + } else if (name.equals(VAL_NOT_AFTER)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER")); + } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_BYPASS_CA_NOTAFTER")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (value == null || value.equals("")) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + CMS.debug("CAValidityDefault: setValue name= " + name); + + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_BEFORE, + date); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_AFTER, + date); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) { + boolean bypassCAvalidity = Boolean.valueOf(value).booleanValue(); + CMS.debug("CAValidityDefault: setValue: bypassCAvalidity=" + bypassCAvalidity); + + BasicConstraintsExtension ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + + if (ext == null) { + CMS.debug("CAValidityDefault: setValue: this default cannot be applied to non-CA cert."); + return; + } + try { + Boolean isCA = (Boolean) ext.get(BasicConstraintsExtension.IS_CA); + if (isCA.booleanValue() != true) { + CMS.debug("CAValidityDefault: setValue: this default cannot be aplied to non-CA cert."); + return; + } + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue: this default cannot be aplied to non-CA cert." + e.toString()); + return; + } + + CertificateValidity validity = null; + Date notAfter = null; + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + notAfter = (Date) validity.get(CertificateValidity.NOT_AFTER); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + // not to exceed CA's expiration + Date caNotAfter = + mCA.getSigningUnit().getCertImpl().getNotAfter(); + + if (notAfter.after(caNotAfter)) { + if (bypassCAvalidity == false) { + notAfter = caNotAfter; + CMS.debug("CAValidityDefault: setValue: bypassCAvalidity off. reset notAfter to caNotAfter. reset "); + } else { + CMS.debug("CAValidityDefault: setValue: bypassCAvalidity on. notAfter is after caNotAfter. no reset"); + } + } + try { + validity.set(CertificateValidity.NOT_AFTER, + notAfter); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + + if (name == null) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + + CMS.debug("CAValidityDefault: getValue: name= " + name); + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_BEFORE)); + } catch (Exception e) { + CMS.debug("CAValidityDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_AFTER)); + } catch (Exception e) { + CMS.debug("CAValidityDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) { + return "false"; + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_RANGE), + getConfig(CONFIG_BYPASS_CA_NOTAFTER) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_VALIDITY", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + + // always + 60 seconds + String startTimeStr = getConfig(CONFIG_START_TIME); + try { + startTimeStr = mapPattern(request, startTimeStr); + } catch (IOException e) { + CMS.debug("CAValidityDefault: populate " + e.toString()); + } + + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } + int startTime = Integer.parseInt(startTimeStr); + Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); + long notAfterVal = 0; + + try { + String rangeStr = getConfig(CONFIG_RANGE); + rangeStr = mapPattern(request, rangeStr); + notAfterVal = notBefore.getTime() + + (mDefault * Integer.parseInt(rangeStr)); + } catch (Exception e) { + // configured value is not correct + CMS.debug("CAValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + Date notAfter = new Date(notAfterVal); + + CertificateValidity validity = + new CertificateValidity(notBefore, notAfter); + + try { + info.set(X509CertInfo.VALIDITY, validity); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("CAValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", X509CertInfo.VALIDITY)); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/CRLDistributionPointsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/CRLDistributionPointsExtDefault.java new file mode 100644 index 000000000..d1def3d5d --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/CRLDistributionPointsExtDefault.java @@ -0,0 +1,696 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.Vector; + +import netscape.security.util.BitArray; +import netscape.security.x509.CRLDistributionPoint; +import netscape.security.x509.CRLDistributionPointsExtension; +import netscape.security.x509.CRLDistributionPointsExtension.Reason; +import netscape.security.x509.GeneralName; +import netscape.security.x509.GeneralNames; +import netscape.security.x509.GeneralNamesException; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.RDN; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a CRL Distribution points extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class CRLDistributionPointsExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "crlDistPointsCritical"; + public static final String CONFIG_NUM_POINTS = "crlDistPointsNum"; + public static final String CONFIG_POINT_TYPE = "crlDistPointsPointType_"; + public static final String CONFIG_POINT_NAME = "crlDistPointsPointName_"; + public static final String CONFIG_REASONS = "crlDistPointsReasons_"; + public static final String CONFIG_ISSUER_TYPE = "crlDistPointsIssuerType_"; + public static final String CONFIG_ISSUER_NAME = "crlDistPointsIssuerName_"; + public static final String CONFIG_ENABLE = "crlDistPointsEnable_"; + + public static final String VAL_CRITICAL = "crlDistPointsCritical"; + public static final String VAL_CRL_DISTRIBUTION_POINTS = "crlDistPointsValue"; + + private static final String REASONS = "Reasons"; + private static final String POINT_TYPE = "Point Type"; + private static final String POINT_NAME = "Point Name"; + private static final String ISSUER_TYPE = "Issuer Type"; + private static final String ISSUER_NAME = "Issuer Name"; + private static final String ENABLE = "Enable"; + + private static final String RELATIVETOISSUER = "RelativeToIssuer"; + + private static final int DEF_NUM_POINTS = 1; + private static final int MAX_NUM_POINTS = 100; + + public CRLDistributionPointsExtDefault() { + super(); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + refreshConfigAndValueNames(); + } + + public void setConfig(String name, String value) + throws EPropertyException { + int num = 0; + if (name.equals(CONFIG_NUM_POINTS)) { + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_POINTS || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_POINTS)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_POINTS)); + } + } + super.setConfig(name, value); + } + + public Enumeration getConfigNames() { + refreshConfigAndValueNames(); + return super.getConfigNames(); + } + + protected void refreshConfigAndValueNames() { + super.refreshConfigAndValueNames(); + + addValueName(VAL_CRITICAL); + addValueName(VAL_CRL_DISTRIBUTION_POINTS); + + addConfigName(CONFIG_CRITICAL); + int num = getNumPoints(); + + addConfigName(CONFIG_NUM_POINTS); + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_POINT_TYPE + i); + addConfigName(CONFIG_POINT_NAME + i); + addConfigName(CONFIG_REASONS + i); + addConfigName(CONFIG_ISSUER_TYPE + i); + addConfigName(CONFIG_ISSUER_NAME + i); + addConfigName(CONFIG_ENABLE + i); + } + } + + protected int getNumPoints() { + int num = DEF_NUM_POINTS; + String val = getConfig(CONFIG_NUM_POINTS); + + if (val != null) { + try { + num = Integer.parseInt(val); + } catch (NumberFormatException e) { + // ignore + } + } + + if (num >= MAX_NUM_POINTS) + num = DEF_NUM_POINTS; + + return num; + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.startsWith(CONFIG_POINT_TYPE)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POINT_TYPE")); + } else if (name.startsWith(CONFIG_POINT_NAME)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POINT_NAME")); + } else if (name.startsWith(CONFIG_REASONS)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REASONS")); + } else if (name.startsWith(CONFIG_ISSUER_TYPE)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_TYPE")); + } else if (name.startsWith(CONFIG_ISSUER_NAME)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_NAME")); + } else if (name.startsWith(CONFIG_ENABLE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE")); + } else if (name.startsWith(CONFIG_NUM_POINTS)) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_DIST_POINTS")); + + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_CRL_DISTRIBUTION_POINTS")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + CRLDistributionPointsExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (CRLDistributionPointsExtension) + getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(), + info); + + if (ext == null) { + populate(locale, info); + } + + if (name.equals(VAL_CRITICAL)) { + ext = (CRLDistributionPointsExtension) + getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(), + info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) { + ext = (CRLDistributionPointsExtension) + getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(), + info); + + if (ext == null) { + return; + } + Vector v = parseRecords(value); + int size = v.size(); + + boolean critical = ext.isCritical(); + int i = 0; + + for (; i < size; i++) { + NameValuePairs nvps = v.elementAt(i); + String pointType = null; + String pointValue = null; + String issuerType = null; + String issuerValue = null; + String enable = null; + CRLDistributionPoint cdp = new CRLDistributionPoint(); + + for (String name1 : nvps.keySet()) { + + if (name1.equals(REASONS)) { + addReasons(locale, cdp, REASONS, nvps.get(name1)); + } else if (name1.equals(POINT_TYPE)) { + pointType = nvps.get(name1); + } else if (name1.equals(POINT_NAME)) { + pointValue = nvps.get(name1); + } else if (name1.equals(ISSUER_TYPE)) { + issuerType = nvps.get(name1); + } else if (name1.equals(ISSUER_NAME)) { + issuerValue = nvps.get(name1); + } else if (name1.equals(ENABLE)) { + enable = nvps.get(name1); + } + } + + if (enable != null && enable.equals("true")) { + if (pointType != null) + addCRLPoint(locale, cdp, pointType, pointValue); + if (issuerType != null) + addIssuer(locale, cdp, issuerType, issuerValue); + + // this is the first distribution point + if (i == 0) { + ext = new CRLDistributionPointsExtension(cdp); + ext.setCritical(critical); + } else { + ext.addPoint(cdp); + } + } + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(), + ext, info); + } catch (EProfileException e) { + CMS.debug("CRLDistributionPointsExtDefault: setValue " + + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + private void addCRLPoint(Locale locale, CRLDistributionPoint cdp, String type, + String value) throws EPropertyException { + try { + if (value == null || value.length() == 0) + return; + + if (type.equals(RELATIVETOISSUER)) { + cdp.setRelativeName(new RDN(value)); + } else if (isGeneralNameType(type)) { + GeneralNames gen = new GeneralNames(); + gen.addElement(parseGeneralName(type, value)); + cdp.setFullName(gen); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", type)); + } + } catch (IOException e) { + CMS.debug("CRLDistributionPointsExtDefault: addCRLPoint " + + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", type)); + } catch (GeneralNamesException e) { + CMS.debug("CRLDistributionPointsExtDefault: addCRLPoint " + + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", type)); + } + } + + private void addIssuer(Locale locale, CRLDistributionPoint cdp, String type, + String value) throws EPropertyException { + if (value == null || value.length() == 0) + return; + try { + if (isGeneralNameType(type)) { + GeneralNames gen = new GeneralNames(); + + gen.addElement(parseGeneralName(type, value)); + cdp.setCRLIssuer(gen); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", type)); + } + } catch (IOException e) { + CMS.debug("CRLDistributionPointsExtDefault: addIssuer " + + e.toString()); + } catch (GeneralNamesException e) { + CMS.debug("CRLDistributionPointsExtDefault: addIssuer " + + e.toString()); + } + } + + private void addReasons(Locale locale, CRLDistributionPoint cdp, String type, + String value) throws EPropertyException { + if (value == null || value.length() == 0) + return; + if (type.equals(REASONS)) { + if (value != null && !value.equals("")) { + StringTokenizer st = new StringTokenizer(value, ", \t"); + byte reasonBits = 0; + + while (st.hasMoreTokens()) { + String s = st.nextToken(); + Reason r = Reason.fromString(s); + + if (r == null) { + CMS.debug("CRLDistributeionPointsExtDefault: addReasons Unknown reason: " + s); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", s)); + } else { + reasonBits |= r.getBitMask(); + } + } + + if (reasonBits != 0) { + BitArray ba = new BitArray(8, new byte[] { reasonBits } + ); + + cdp.setReasons(ba); + } + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", type)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + CRLDistributionPointsExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (CRLDistributionPointsExtension) + getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(), + info); + + if (ext == null) { + try { + populate(locale, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + if (name.equals(VAL_CRITICAL)) { + ext = (CRLDistributionPointsExtension) + getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(), + info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) { + ext = (CRLDistributionPointsExtension) + getExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(), + info); + + if (ext == null) + return ""; + + Vector recs = new Vector(); + int num = getNumPoints(); + + for (int i = 0; i < num; i++) { + NameValuePairs pairs = null; + + if (i < ext.getNumPoints()) { + CRLDistributionPoint p = ext.getPointAt(i); + GeneralNames gns = p.getFullName(); + + pairs = buildGeneralNames(gns, p); + recs.addElement(pairs); + } else { + pairs = buildEmptyGeneralNames(); + recs.addElement(pairs); + } + } + + return buildRecords(recs); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + protected NameValuePairs buildEmptyGeneralNames() { + NameValuePairs pairs = new NameValuePairs(); + + pairs.put(POINT_TYPE, ""); + pairs.put(POINT_NAME, ""); + pairs.put(REASONS, ""); + pairs.put(ISSUER_TYPE, ""); + pairs.put(ISSUER_NAME, ""); + pairs.put(ENABLE, "false"); + return pairs; + } + + protected NameValuePairs buildGeneralNames(GeneralNames gns, CRLDistributionPoint p) + throws EPropertyException { + + NameValuePairs pairs = new NameValuePairs(); + + RDN rdn = null; + boolean hasFullName = false; + + pairs.put(ENABLE, "true"); + if (gns == null) { + rdn = p.getRelativeName(); + if (rdn != null) { + hasFullName = true; + pairs.put(POINT_TYPE, RELATIVETOISSUER); + pairs.put(POINT_NAME, rdn.toString()); + } else { + pairs.put(POINT_TYPE, ""); + pairs.put(POINT_NAME, ""); + } + } else { + GeneralName gn = (GeneralName) gns.elementAt(0); + + if (gn != null) { + hasFullName = true; + + pairs.put(POINT_TYPE, getGeneralNameType(gn)); + pairs.put(POINT_NAME, getGeneralNameValue(gn)); + } + } + + if (!hasFullName) { + pairs.put(POINT_TYPE, GN_DIRECTORY_NAME); + pairs.put(POINT_NAME, ""); + } + + BitArray reasons = p.getReasons(); + String s = convertBitArrayToReasonNames(reasons); + + if (s.length() > 0) { + pairs.put(REASONS, s); + } else { + pairs.put(REASONS, ""); + } + + gns = p.getCRLIssuer(); + + if (gns == null) { + pairs.put(ISSUER_TYPE, GN_DIRECTORY_NAME); + pairs.put(ISSUER_NAME, ""); + } else { + GeneralName gn = (GeneralName) gns.elementAt(0); + + if (gn != null) { + hasFullName = true; + + pairs.put(ISSUER_TYPE, getGeneralNameType(gn)); + pairs.put(ISSUER_NAME, getGeneralNameValue(gn)); + } + } + return pairs; + } + + private String convertBitArrayToReasonNames(BitArray reasons) { + StringBuffer sb = new StringBuffer(); + + if (reasons != null) { + byte[] b = reasons.toByteArray(); + Reason[] reasonArray = Reason.bitArrayToReasonArray(b); + + for (int i = 0; i < reasonArray.length; i++) { + if (sb.length() > 0) + sb.append(","); + sb.append(reasonArray[i].getName()); + } + } + + return sb.toString(); + } + + public String getText(Locale locale) { + StringBuffer sb = new StringBuffer(); + int num = getNumPoints(); + + for (int i = 0; i < num; i++) { + sb.append("Record #"); + sb.append(i); + sb.append("{"); + sb.append(POINT_TYPE + ":"); + sb.append(getConfig(CONFIG_POINT_TYPE + i)); + sb.append(","); + sb.append(POINT_NAME + ":"); + sb.append(getConfig(CONFIG_POINT_NAME + i)); + sb.append(","); + sb.append(REASONS + ":"); + sb.append(getConfig(CONFIG_REASONS + i)); + sb.append(","); + sb.append(ISSUER_TYPE + ":"); + sb.append(getConfig(CONFIG_ISSUER_TYPE + i)); + sb.append(","); + sb.append(ISSUER_NAME + ":"); + sb.append(getConfig(CONFIG_ISSUER_NAME + i)); + sb.append(","); + sb.append(ENABLE + ":"); + sb.append(getConfig(CONFIG_ENABLE + i)); + sb.append("}"); + } + return CMS.getUserMessage(locale, + "CMS_PROFILE_DEF_CRL_DIST_POINTS_EXT", + getConfig(CONFIG_CRITICAL), + sb.toString()); + } + + /** + * Populates the request with this policy default. + */ + private void populate(Locale locale, X509CertInfo info) + throws EProfileException { + CRLDistributionPointsExtension ext = createExtension(locale); + + if (ext == null) + return; + addExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(), + ext, info); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + CRLDistributionPointsExtension ext = createExtension(request); + + if (ext == null) + return; + addExtension(PKIXExtensions.CRLDistributionPoints_Id.toString(), + ext, info); + } + + public CRLDistributionPointsExtension createExtension(IRequest request) { + CRLDistributionPointsExtension ext = null; + int num = 0; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + num = getNumPoints(); + for (int i = 0; i < num; i++) { + CRLDistributionPoint cdp = new CRLDistributionPoint(); + + String enable = getConfig(CONFIG_ENABLE + i); + String pointType = getConfig(CONFIG_POINT_TYPE + i); + String pointName = getConfig(CONFIG_POINT_NAME + i); + String reasons = getConfig(CONFIG_REASONS + i); + String issuerType = getConfig(CONFIG_ISSUER_TYPE + i); + String issuerName = getConfig(CONFIG_ISSUER_NAME + i); + + if (enable != null && enable.equals("true")) { + if (pointType != null) + addCRLPoint(getLocale(request), cdp, pointType, pointName); + if (issuerType != null) + addIssuer(getLocale(request), cdp, issuerType, issuerName); + if (reasons != null) + addReasons(getLocale(request), cdp, REASONS, reasons); + + if (i == 0) { + ext = new CRLDistributionPointsExtension(cdp); + ext.setCritical(critical); + } else { + ext.addPoint(cdp); + } + } + } + } catch (Exception e) { + CMS.debug("CRLDistribtionPointsExtDefault: createExtension " + + e.toString()); + CMS.debug(e); + } + + return ext; + } + + private CRLDistributionPointsExtension createExtension(Locale locale) { + CRLDistributionPointsExtension ext = null; + int num = 0; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + num = getNumPoints(); + for (int i = 0; i < num; i++) { + CRLDistributionPoint cdp = new CRLDistributionPoint(); + + String enable = getConfig(CONFIG_ENABLE + i); + String pointType = getConfig(CONFIG_POINT_TYPE + i); + String pointName = getConfig(CONFIG_POINT_NAME + i); + String reasons = getConfig(CONFIG_REASONS + i); + String issuerType = getConfig(CONFIG_ISSUER_TYPE + i); + String issuerName = getConfig(CONFIG_ISSUER_NAME + i); + + if (enable != null && enable.equals("true")) { + if (pointType != null) + addCRLPoint(locale, cdp, pointType, pointName); + if (issuerType != null) + addIssuer(locale, cdp, issuerType, issuerName); + addReasons(locale, cdp, REASONS, reasons); + + if (i == 0) { + ext = new CRLDistributionPointsExtension(cdp); + ext.setCritical(critical); + } else { + ext.addPoint(cdp); + } + } + } + } catch (Exception e) { + CMS.debug("CRLDistribtionPointsExtDefault: createExtension " + + e.toString()); + CMS.debug(e); + } + + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/CertificatePoliciesExtDefault.java b/base/common/src/com/netscape/cms/profile/def/CertificatePoliciesExtDefault.java new file mode 100644 index 000000000..8d4ae2288 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/CertificatePoliciesExtDefault.java @@ -0,0 +1,796 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.Vector; + +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.CPSuri; +import netscape.security.x509.CertificatePoliciesExtension; +import netscape.security.x509.CertificatePolicyId; +import netscape.security.x509.CertificatePolicyInfo; +import netscape.security.x509.DisplayText; +import netscape.security.x509.NoticeReference; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.PolicyQualifiers; +import netscape.security.x509.Qualifier; +import netscape.security.x509.UserNotice; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a policy mappings extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class CertificatePoliciesExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "Critical"; + public static final String CONFIG_PREFIX = "PoliciesExt.certPolicy"; + public static final String CONFIG_PREFIX1 = "PolicyQualifiers"; + public static final String CONFIG_POLICY_ENABLE = "enable"; + public static final String CONFIG_POLICY_NUM = "PoliciesExt.num"; + public static final String CONFIG_POLICY_ID = "policyId"; + public static final String CONFIG_POLICY_QUALIFIERS_NUM = "PolicyQualifiers.num"; + public static final String CONFIG_CPSURI_ENABLE = "CPSURI.enable"; + public static final String CONFIG_USERNOTICE_ENABLE = "usernotice.enable"; + public static final String CONFIG_CPSURI_VALUE = "CPSURI.value"; + public static final String CONFIG_USERNOTICE_ORG = "usernotice.noticeReference.organization"; + public static final String CONFIG_USERNOTICE_NUMBERS = "usernotice.noticeReference.noticeNumbers"; + public static final String CONFIG_USERNOTICE_TEXT = "usernotice.explicitText.value"; + + public static final String VAL_CRITICAL = "Critical"; + public static final String VAL_POLICY_QUALIFIERS = "policyQualifiers"; + + private static final String SEPARATOR = "."; + private static final int DEF_NUM_POLICIES = 5; + private static final int DEF_NUM_QUALIFIERS = 1; + private static final int MAX_NUM_POLICIES = 20; + private static final String POLICY_ID_ENABLE = "Enable"; + private static final String POLICY_ID = "Policy Id"; + private static final String POLICY_QUALIFIER_CPSURI_ENABLE = "CPSuri Enable"; + private static final String POLICY_QUALIFIER_USERNOTICE_ENABLE = "UserNotice Enable"; + private static final String USERNOTICE_REF_ORG = "UserNoticeReference Organization"; + private static final String USERNOTICE_REF_NUMBERS = "UserNoticeReference Numbers"; + private static final String USERNOTICE_EXPLICIT_TEXT = "UserNoticeReference Explicit Text"; + private static final String CPSURI = "CPS uri"; + + public CertificatePoliciesExtDefault() { + super(); + } + + protected int getNumPolicies() { + int num = DEF_NUM_POLICIES; + String numPolicies = getConfig(CONFIG_POLICY_NUM); + + if (numPolicies != null) { + try { + num = Integer.parseInt(numPolicies); + } catch (NumberFormatException e) { + // ignore + } + } + + if (num >= MAX_NUM_POLICIES) + num = DEF_NUM_POLICIES; + return num; + } + + protected int getNumQualifiers() { + int num = DEF_NUM_QUALIFIERS; + String numQualifiers = getConfig(CONFIG_POLICY_QUALIFIERS_NUM); + if (numQualifiers != null) { + try { + num = Integer.parseInt(numQualifiers); + } catch (NumberFormatException e) { + // ignore + } + } + return num; + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + + refreshConfigAndValueNames(); + } + + public void setConfig(String name, String value) + throws EPropertyException { + int num = 0; + if (name.equals(CONFIG_POLICY_NUM)) { + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_POLICIES || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_POLICY_NUM)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_POLICY_NUM)); + } + } + super.setConfig(name, value); + } + + public Enumeration getConfigNames() { + refreshConfigAndValueNames(); + return super.getConfigNames(); + } + + protected void refreshConfigAndValueNames() { + + super.refreshConfigAndValueNames(); + + addValueName(VAL_CRITICAL); + addValueName(VAL_POLICY_QUALIFIERS); + + addConfigName(CONFIG_CRITICAL); + int num = getNumPolicies(); + int numQualifiers = getNumQualifiers(); + + addConfigName(CONFIG_POLICY_NUM); + + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ID); + addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ENABLE); + for (int j = 0; j < numQualifiers; j++) { + addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_ENABLE); + addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_ENABLE); + addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_VALUE); + addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_ORG); + addConfigName(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_NUMBERS); + addConfigName(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_TEXT); + } + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.indexOf(CONFIG_POLICY_ID) >= 0) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_ID")); + } else if (name.indexOf(CONFIG_CPSURI_ENABLE) >= 0) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_QUALIFIER_CPSURI_ENABLE")); + } else if (name.indexOf(CONFIG_USERNOTICE_ENABLE) >= 0) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_QUALIFIER_USERNOTICE_ENABLE")); + } else if (name.indexOf(CONFIG_POLICY_ENABLE) >= 0) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CERTIFICATE_POLICY_ENABLE")); + } else if (name.indexOf(CONFIG_POLICY_QUALIFIERS_NUM) >= 0) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_QUALIFIER_NUM")); + } else if (name.indexOf(CONFIG_USERNOTICE_ORG) >= 0) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_USERNOTICE_REF_ORG")); + } else if (name.indexOf(CONFIG_USERNOTICE_NUMBERS) >= 0) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_USERNOTICE_REF_NUMBERS")); + } else if (name.indexOf(CONFIG_USERNOTICE_TEXT) >= 0) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_USERNOTICE_EXPLICIT_TEXT")); + } else if (name.indexOf(CONFIG_CPSURI_VALUE) >= 0) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_CPSURI")); + } else if (name.indexOf(CONFIG_POLICY_NUM) >= 0) { + return new Descriptor(IDescriptor.INTEGER, null, + "5", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_POLICIES")); + } + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_POLICY_QUALIFIERS)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POLICY_QUALIFIERS")); + } + return null; + } + + private Hashtable buildRecords(String value) throws EPropertyException { + StringTokenizer st = new StringTokenizer(value, "\r\n"); + Hashtable table = new Hashtable(); + while (st.hasMoreTokens()) { + String token = (String) st.nextToken(); + int index = token.indexOf(":"); + if (index <= 0) + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", token)); + String name = token.substring(0, index); + String val = ""; + if ((token.length() - 1) > index) { + val = token.substring(index + 1); + } + table.put(name, val); + } + + return table; + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + CertificatePoliciesExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_CRITICAL)) { + ext = (CertificatePoliciesExtension) + getExtension(PKIXExtensions.CertificatePolicies_Id.toString(), + info); + boolean val = Boolean.valueOf(value).booleanValue(); + + ext.setCritical(val); + } else if (name.equals(VAL_POLICY_QUALIFIERS)) { + ext = (CertificatePoliciesExtension) + getExtension(PKIXExtensions.CertificatePolicies_Id.toString(), + info); + + Hashtable h = buildRecords(value); + + String numStr = (String) h.get(CONFIG_POLICY_NUM); + int size = Integer.parseInt(numStr); + + Vector certificatePolicies = new Vector(); + for (int i = 0; i < size; i++) { + String enable = (String) h.get(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ENABLE); + CertificatePolicyInfo cinfo = null; + if (enable != null && enable.equals("true")) { + String policyId = (String) h.get(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ID); + + if (policyId == null || policyId.length() == 0) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_PROFILE_CERTIFICATE_POLICIES_EMPTY_POLICYID")); + CertificatePolicyId cpolicyId = getPolicyId(policyId); + + String qualifersNum = + (String) h.get(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_QUALIFIERS_NUM); + PolicyQualifiers policyQualifiers = new PolicyQualifiers(); + int num = 0; + if (qualifersNum != null && qualifersNum.length() > 0) + num = Integer.parseInt(qualifersNum); + for (int j = 0; j < num; j++) { + String cpsuriEnable = + (String) h.get(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_ENABLE); + String usernoticeEnable = + (String) h + .get(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + + CONFIG_USERNOTICE_ENABLE); + if (cpsuriEnable != null && cpsuriEnable.equals("true")) { + String cpsuri = + (String) h.get(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_VALUE); + netscape.security.x509.PolicyQualifierInfo qualifierInfo = createCPSuri(cpsuri); + if (qualifierInfo != null) + policyQualifiers.add(qualifierInfo); + } else if (usernoticeEnable != null && enable.equals("true")) { + String org = + (String) h.get(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + + CONFIG_USERNOTICE_ORG); + String noticenumbers = + (String) h.get(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + + CONFIG_USERNOTICE_NUMBERS); + String explicitText = + (String) h.get(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + + CONFIG_USERNOTICE_TEXT); + netscape.security.x509.PolicyQualifierInfo qualifierInfo = createUserNotice(org, + noticenumbers, explicitText); + if (qualifierInfo != null) + policyQualifiers.add(qualifierInfo); + } + } + + if (policyQualifiers.size() <= 0) { + cinfo = + new CertificatePolicyInfo(cpolicyId); + } else { + cinfo = + new CertificatePolicyInfo(cpolicyId, policyQualifiers); + } + if (cinfo != null) + certificatePolicies.addElement(cinfo); + } + } + + ext.set(CertificatePoliciesExtension.INFOS, certificatePolicies); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(PKIXExtensions.CertificatePolicies_Id.toString(), + ext, info); + } catch (EProfileException e) { + CMS.debug("CertificatePoliciesExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (IOException e) { + CMS.debug("CertificatePoliciesExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + @SuppressWarnings("unchecked") + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + CertificatePoliciesExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + if (name.equals(VAL_CRITICAL)) { + ext = (CertificatePoliciesExtension) + getExtension(PKIXExtensions.CertificatePolicies_Id.toString(), + info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_POLICY_QUALIFIERS)) { + ext = (CertificatePoliciesExtension) + getExtension(PKIXExtensions.CertificatePolicies_Id.toString(), + info); + + if (ext == null) + return ""; + + StringBuffer sb = new StringBuffer(); + int num_policies = getNumPolicies(); + sb.append(CONFIG_POLICY_NUM); + sb.append(":"); + sb.append(num_policies); + sb.append("\n"); + Vector infos; + + try { + infos = (Vector) ext.get(CertificatePoliciesExtension.INFOS); + } catch (IOException ee) { + infos = null; + } + + for (int i = 0; i < num_policies; i++) { + int qSize = 0; + String policyId = ""; + String policyEnable = "false"; + PolicyQualifiers qualifiers = null; + if (infos.size() > 0) { + CertificatePolicyInfo cinfo = + infos.elementAt(0); + + CertificatePolicyId id1 = cinfo.getPolicyIdentifier(); + policyId = id1.getIdentifier().toString(); + policyEnable = "true"; + qualifiers = cinfo.getPolicyQualifiers(); + if (qualifiers != null) + qSize = qualifiers.size(); + infos.removeElementAt(0); + } + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ENABLE); + sb.append(":"); + sb.append(policyEnable); + sb.append("\n"); + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_ID); + sb.append(":"); + sb.append(policyId); + sb.append("\n"); + + if (qSize == 0) { + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_QUALIFIERS_NUM); + sb.append(":"); + sb.append(DEF_NUM_QUALIFIERS); + sb.append("\n"); + } else { + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_POLICY_QUALIFIERS_NUM); + sb.append(":"); + sb.append(qSize); + sb.append("\n"); + } + if (qSize == 0) { + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_CPSURI_ENABLE); + sb.append(":"); + sb.append("false"); + sb.append("\n"); + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_CPSURI_VALUE); + sb.append(":"); + sb.append(""); + sb.append("\n"); + sb.append(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_USERNOTICE_ENABLE); + sb.append(":"); + sb.append("false"); + sb.append("\n"); + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_USERNOTICE_ORG); + sb.append(":"); + sb.append(""); + sb.append("\n"); + sb.append(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_USERNOTICE_NUMBERS); + sb.append(":"); + sb.append(""); + sb.append("\n"); + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + "0" + SEPARATOR + CONFIG_USERNOTICE_TEXT); + sb.append(":"); + sb.append(""); + sb.append("\n"); + } + + for (int j = 0; j < qSize; j++) { + netscape.security.x509.PolicyQualifierInfo qinfo = qualifiers.getInfoAt(j); + ObjectIdentifier oid = qinfo.getId(); + Qualifier qualifier = qinfo.getQualifier(); + + String cpsuriEnable = "false"; + String usernoticeEnable = "false"; + String cpsuri = ""; + String org = ""; + StringBuffer noticeNum = new StringBuffer(); + String explicitText = ""; + + if (oid.toString().equals(netscape.security.x509.PolicyQualifierInfo.QT_CPS.toString())) { + cpsuriEnable = "true"; + CPSuri content = (CPSuri) qualifier; + cpsuri = content.getURI(); + } else if (oid.toString().equals(netscape.security.x509.PolicyQualifierInfo.QT_UNOTICE.toString())) { + usernoticeEnable = "true"; + UserNotice content = (UserNotice) qualifier; + NoticeReference ref = content.getNoticeReference(); + if (ref != null) { + org = ref.getOrganization().getText(); + int[] nums = ref.getNumbers(); + for (int k = 0; k < nums.length; k++) { + if (k != 0) { + noticeNum.append(","); + noticeNum.append(nums[k]); + } else + noticeNum.append(nums[k]); + } + } + DisplayText displayText = content.getDisplayText(); + if (displayText != null) + explicitText = displayText.getText(); + } + + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_ENABLE); + sb.append(":"); + sb.append(cpsuriEnable); + sb.append("\n"); + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_CPSURI_VALUE); + sb.append(":"); + sb.append(cpsuri); + sb.append("\n"); + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_ENABLE); + sb.append(":"); + sb.append(usernoticeEnable); + sb.append("\n"); + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_ORG); + sb.append(":"); + sb.append(org); + sb.append("\n"); + sb.append(CONFIG_PREFIX + + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_NUMBERS); + sb.append(":"); + sb.append(noticeNum.toString()); + sb.append("\n"); + sb.append(CONFIG_PREFIX + i + SEPARATOR + CONFIG_PREFIX1 + j + SEPARATOR + CONFIG_USERNOTICE_TEXT); + sb.append(":"); + sb.append(explicitText); + sb.append("\n"); + } + } // end of for loop + return sb.toString(); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + StringBuffer sb = new StringBuffer(); + int num = getNumPolicies(); + int num1 = getNumQualifiers(); + + try { + IConfigStore basesubstore = getConfigStore().getSubStore("params"); + sb.append("{"); + sb.append(CONFIG_POLICY_NUM + ":"); + sb.append(num); + sb.append(","); + for (int i = 0; i < num; i++) { + sb.append("{"); + IConfigStore substore = basesubstore.getSubStore(CONFIG_PREFIX + i); + String enable = substore.getString(CONFIG_POLICY_ENABLE, ""); + sb.append(POLICY_ID_ENABLE + ":"); + sb.append(enable); + sb.append(","); + String policyId = substore.getString(CONFIG_POLICY_ID, ""); + sb.append(POLICY_ID + ":"); + sb.append(policyId); + sb.append(","); + String qualifiersNum = substore.getString(CONFIG_POLICY_QUALIFIERS_NUM, ""); + sb.append(CONFIG_POLICY_QUALIFIERS_NUM + ":"); + sb.append(qualifiersNum); + sb.append(","); + for (int j = 0; j < num1; j++) { + IConfigStore substore1 = substore.getSubStore(CONFIG_PREFIX1 + j); + sb.append("{"); + String cpsuriEnable = substore1.getString(CONFIG_CPSURI_ENABLE, ""); + sb.append(POLICY_QUALIFIER_CPSURI_ENABLE + ":"); + sb.append(cpsuriEnable); + sb.append(","); + String usernoticeEnable = substore1.getString(CONFIG_USERNOTICE_ENABLE, ""); + sb.append(POLICY_QUALIFIER_USERNOTICE_ENABLE + ":"); + sb.append(usernoticeEnable); + sb.append(","); + String org = substore1.getString(CONFIG_USERNOTICE_ORG, ""); + sb.append(USERNOTICE_REF_ORG + ":"); + sb.append(org); + sb.append(","); + String refNums = substore1.getString(CONFIG_USERNOTICE_NUMBERS, ""); + sb.append(USERNOTICE_REF_NUMBERS + ":"); + sb.append(refNums); + sb.append(","); + String explicitText = substore1.getString(CONFIG_USERNOTICE_TEXT, ""); + sb.append(USERNOTICE_EXPLICIT_TEXT + ":"); + sb.append(explicitText); + sb.append(","); + String cpsuri = substore1.getString(CONFIG_CPSURI_VALUE, ""); + sb.append(CPSURI + ":"); + sb.append(cpsuri); + sb.append("}"); + } + sb.append("}"); + } + sb.append("}"); + return CMS.getUserMessage(locale, + "CMS_PROFILE_DEF_CERTIFICATE_POLICIES_EXT", + getConfig(CONFIG_CRITICAL), sb.toString()); + } catch (Exception e) { + return ""; + } + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + CertificatePoliciesExtension ext = createExtension(); + + if (ext == null) + return; + addExtension(PKIXExtensions.CertificatePolicies_Id.toString(), + ext, info); + } + + public CertificatePoliciesExtension createExtension() + throws EProfileException { + CertificatePoliciesExtension ext = null; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + Vector certificatePolicies = new Vector(); + int num = getNumPolicies(); + CMS.debug("CertificatePoliciesExtension: createExtension: number of policies=" + num); + IConfigStore config = getConfigStore(); + + for (int i = 0; i < num; i++) { + IConfigStore basesubstore = config.getSubStore("params"); + IConfigStore substore = basesubstore.getSubStore(CONFIG_PREFIX + i); + String enable = substore.getString(CONFIG_POLICY_ENABLE); + + CMS.debug("CertificatePoliciesExtension: createExtension: CertificatePolicy " + i + " enable=" + enable); + if (enable != null && enable.equals("true")) { + String policyId = substore.getString(CONFIG_POLICY_ID); + CertificatePolicyId cpolicyId = getPolicyId(policyId); + CMS.debug("CertificatePoliciesExtension: createExtension: CertificatePolicy " + + i + " policyId=" + policyId); + int qualifierNum = getNumQualifiers(); + PolicyQualifiers policyQualifiers = new PolicyQualifiers(); + for (int j = 0; j < qualifierNum; j++) { + IConfigStore substore1 = substore.getSubStore(CONFIG_PREFIX1 + j); + String cpsuriEnable = substore1.getString(CONFIG_CPSURI_ENABLE); + String usernoticeEnable = substore1.getString(CONFIG_USERNOTICE_ENABLE); + + if (cpsuriEnable != null && cpsuriEnable.equals("true")) { + String cpsuri = substore1.getString(CONFIG_CPSURI_VALUE, ""); + netscape.security.x509.PolicyQualifierInfo qualifierInfo = createCPSuri(cpsuri); + if (qualifierInfo != null) + policyQualifiers.add(qualifierInfo); + } else if (usernoticeEnable != null && + usernoticeEnable.equals("true")) { + + String org = substore1.getString(CONFIG_USERNOTICE_ORG); + String noticenumbers = substore1.getString(CONFIG_USERNOTICE_NUMBERS); + String explicitText = substore1.getString(CONFIG_USERNOTICE_TEXT); + netscape.security.x509.PolicyQualifierInfo qualifierInfo = createUserNotice(org, + noticenumbers, explicitText); + if (qualifierInfo != null) + policyQualifiers.add(qualifierInfo); + } + } + + CertificatePolicyInfo info = null; + if (policyQualifiers.size() <= 0) { + info = + new CertificatePolicyInfo(cpolicyId); + } else { + info = + new CertificatePolicyInfo(cpolicyId, policyQualifiers); + } + + if (info != null) + certificatePolicies.addElement(info); + } + } + + ext = new CertificatePoliciesExtension(critical, certificatePolicies); + } catch (EPropertyException e) { + throw new EProfileException(e.toString()); + } catch (EProfileException e) { + throw e; + } catch (Exception e) { + CMS.debug("CertificatePoliciesExtDefault: createExtension " + + e.toString()); + } + + return ext; + } + + private CertificatePolicyId getPolicyId(String policyId) throws EPropertyException { + if (policyId == null || policyId.length() == 0) + throw new EPropertyException(CMS.getUserMessage( + "CMS_PROFILE_CERTIFICATE_POLICIES_EMPTY_POLICYID")); + + CertificatePolicyId cpolicyId = null; + try { + cpolicyId = new CertificatePolicyId( + ObjectIdentifier.getObjectIdentifier(policyId)); + return cpolicyId; + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_PROFILE_CERTIFICATE_POLICIES_POLICYID_ERROR", policyId)); + } + } + + private netscape.security.x509.PolicyQualifierInfo createCPSuri(String uri) throws EPropertyException { + if (uri == null || uri.length() == 0) + throw new EPropertyException(CMS.getUserMessage( + "CMS_PROFILE_CERTIFICATE_POLICIES_EMPTY_CPSURI")); + + CPSuri cpsURI = new CPSuri(uri); + netscape.security.x509.PolicyQualifierInfo policyQualifierInfo2 = + new netscape.security.x509.PolicyQualifierInfo(netscape.security.x509.PolicyQualifierInfo.QT_CPS, + cpsURI); + + return policyQualifierInfo2; + } + + private netscape.security.x509.PolicyQualifierInfo createUserNotice(String organization, + String noticeText, String noticeNums) throws EPropertyException { + + if ((organization == null || organization.length() == 0) && + (noticeNums == null || noticeNums.length() == 0) && + (noticeText == null || noticeText.length() == 0)) + return null; + + DisplayText explicitText = null; + if (noticeText != null && noticeText.length() > 0) + explicitText = new DisplayText(DisplayText.tag_VisibleString, noticeText); + + int nums[] = null; + if (noticeNums != null && noticeNums.length() > 0) { + Vector numsVector = new Vector(); + StringTokenizer tokens = new StringTokenizer(noticeNums, ";"); + while (tokens.hasMoreTokens()) { + String num = tokens.nextToken().trim(); + numsVector.addElement(num); + } + + nums = new int[numsVector.size()]; + try { + for (int i = 0; i < numsVector.size(); i++) { + Integer ii = new Integer((String) numsVector.elementAt(i)); + nums[i] = ii.intValue(); + } + } catch (Exception e) { + throw new EPropertyException("Wrong notice numbers"); + } + } + + DisplayText orgName = null; + if (organization != null && organization.length() > 0) { + orgName = + new DisplayText(DisplayText.tag_VisibleString, organization); + } + + NoticeReference noticeReference = null; + + if (orgName != null) + noticeReference = new NoticeReference(orgName, nums); + + UserNotice userNotice = null; + if (explicitText != null || noticeReference != null) { + userNotice = new UserNotice(noticeReference, explicitText); + + netscape.security.x509.PolicyQualifierInfo policyQualifierInfo1 = + new netscape.security.x509.PolicyQualifierInfo( + netscape.security.x509.PolicyQualifierInfo.QT_UNOTICE, userNotice); + return policyQualifierInfo1; + } + + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/CertificateVersionDefault.java b/base/common/src/com/netscape/cms/profile/def/CertificateVersionDefault.java new file mode 100644 index 000000000..d30f971dd --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/CertificateVersionDefault.java @@ -0,0 +1,193 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.security.cert.CertificateException; +import java.util.Locale; + +import netscape.security.x509.CertificateVersion; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a Netscape comment extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class CertificateVersionDefault extends EnrollExtDefault { + + public static final String CONFIG_VERSION = "certVersionNum"; + + public static final String VAL_VERSION = "certVersionNum"; + + public CertificateVersionDefault() { + super(); + addValueName(VAL_VERSION); + + addConfigName(CONFIG_VERSION); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_VERSION)) { + return new Descriptor(IDescriptor.INTEGER, null, + "3", + CMS.getUserMessage(locale, "CMS_PROFILE_VERSION")); + } else { + return null; + } + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_VERSION)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_VERSION)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_VERSION)) { + return new Descriptor(IDescriptor.INTEGER, null, + "3", + CMS.getUserMessage(locale, "CMS_PROFILE_VERSION")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_VERSION)) { + if (value == null || value.equals("")) + throw new EPropertyException(name + " cannot be empty"); + else { + int version = Integer.valueOf(value).intValue() - 1; + + if (version == CertificateVersion.V1) + info.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V1)); + else if (version == CertificateVersion.V2) + info.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V2)); + else if (version == CertificateVersion.V3) + info.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } catch (IOException e) { + CMS.debug("CertificateVersionDefault: setValue " + e.toString()); + } catch (CertificateException e) { + CMS.debug("CertificateVersionDefault: setValue " + e.toString()); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + if (name.equals(VAL_VERSION)) { + CertificateVersion v = null; + try { + v = (CertificateVersion) info.get( + X509CertInfo.VERSION); + } catch (Exception e) { + } + + if (v == null) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + int version = v.compare(0); + + return "" + (version + 1); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_VERSION) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_CERT_VERSION", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + String v = getConfig(CONFIG_VERSION); + int version = Integer.valueOf(v).intValue() - 1; + + try { + if (version == CertificateVersion.V1) + info.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V1)); + else if (version == CertificateVersion.V2) + info.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V2)); + else if (version == CertificateVersion.V3) + info.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); + else { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_VERSION)); + } + } catch (IOException e) { + } catch (CertificateException e) { + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java new file mode 100644 index 000000000..67ebadbe4 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java @@ -0,0 +1,815 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.NoSuchElementException; +import java.util.StringTokenizer; +import java.util.Vector; + +import netscape.security.extensions.KerberosName; +import netscape.security.util.DerInputStream; +import netscape.security.util.DerOutputStream; +import netscape.security.util.DerValue; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.DNSName; +import netscape.security.x509.EDIPartyName; +import netscape.security.x509.Extension; +import netscape.security.x509.GeneralName; +import netscape.security.x509.GeneralNameInterface; +import netscape.security.x509.IPAddressName; +import netscape.security.x509.OIDName; +import netscape.security.x509.OtherName; +import netscape.security.x509.RFC822Name; +import netscape.security.x509.URIName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IAttrSet; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.IPrettyPrintFormat; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.pattern.Pattern; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.ICertInfoPolicyDefault; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements an enrollment default policy. + * + * @version $Revision$, $Date$ + */ +public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDefault { + + public static final String PROP_NAME = "name"; + + public static final String GN_RFC822_NAME = "RFC822Name"; + public static final String GN_DNS_NAME = "DNSName"; + public static final String GN_URI_NAME = "URIName"; + public static final String GN_IP_NAME = "IPAddressName"; + public static final String GN_DIRECTORY_NAME = "DirectoryName"; + public static final String GN_EDI_NAME = "EDIPartyName"; + public static final String GN_ANY_NAME = "OtherName"; + public static final String GN_OID_NAME = "OIDName"; + + protected IConfigStore mConfig = null; + protected Vector mConfigNames = new Vector(); + protected Vector mValueNames = new Vector(); + + public EnrollDefault() { + } + + public Enumeration getConfigNames() { + return mConfigNames.elements(); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + public void addConfigName(String name) { + mConfigNames.addElement(name); + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (mConfig.getSubStore("params") == null) { + // + } else { + mConfig.getSubStore("params").putString(name, value); + } + } + + public String getConfig(String name) { + try { + if (mConfig == null) + return null; + if (mConfig.getSubStore("params") != null) { + return mConfig.getSubStore("params").getString(name); + } + } catch (EBaseException e) { + } + return ""; + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + mConfig = config; + } + + /** + * Retrieves the localizable description of this policy. + * + * @param locale locale of the end user + * @return localized description of this default policy + */ + public abstract String getText(Locale locale); + + public IConfigStore getConfigStore() { + return mConfig; + } + + public String getName(Locale locale) { + try { + return mConfig.getString(PROP_NAME); + } catch (EBaseException e) { + return null; + } + } + + /** + * Populates attributes into the certificate template. + * + * @param request enrollment request + * @param info certificate template + * @exception EProfileException failed to populate attributes + * into request + */ + public abstract void populate(IRequest request, X509CertInfo info) + throws EProfileException; + + /** + * Sets values from the approval page into certificate template. + * + * @param name name of the attribute + * @param locale user locale + * @param info certificate template + * @param value attribute value + * @exception EProfileException failed to set attributes + * into request + */ + public abstract void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException; + + /** + * Retrieves certificate template values and returns them to + * the approval page. + * + * @param name name of the attribute + * @param locale user locale + * @param info certificate template + * @exception EProfileException failed to get attributes + * from request + */ + public abstract String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException; + + /** + * Populates the request with this policy default. + * + * The current implementation extracts enrollment specific attributes + * and calls the populate() method of the subclass. + * + * @param request request to be populated + * @exception EProfileException failed to populate + */ + public void populate(IRequest request) + throws EProfileException { + String name = getClass().getName(); + + name = name.substring(name.lastIndexOf('.') + 1); + CMS.debug(name + ": populate start"); + X509CertInfo info = + request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO); + + populate(request, info); + + request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); + CMS.debug(name + ": populate end"); + } + + public void addValueName(String name) { + mValueNames.addElement(name); + } + + public Enumeration getValueNames() { + return mValueNames.elements(); + } + + public IDescriptor getValueDescriptor(String name) { + return null; + } + + /** + * Sets the value of the given value property by name. + * + * The current implementation extracts enrollment specific attributes + * and calls the setValue() method of the subclass. + * + * @param name name of property + * @param locale locale of the end user + * @param request request + * @param value value to be set in the given request + * @exception EPropertyException failed to set property + */ + public void setValue(String name, Locale locale, IRequest request, + String value) + throws EPropertyException { + X509CertInfo info = + request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO); + + setValue(name, locale, info, value); + + request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the value of the given value + * property by name. + * + * The current implementation extracts enrollment specific attributes + * and calls the getValue() method of the subclass. + * + * @param name name of property + * @param locale locale of the end user + * @param request request + * @exception EPropertyException failed to get property + */ + public String getValue(String name, Locale locale, IRequest request) + throws EPropertyException { + X509CertInfo info = + request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO); + + String value = getValue(name, locale, info); + request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); + return value; + } + + public String toHexString(byte data[]) { + IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); + String s = pp.toHexString(data, 0, 16); + StringTokenizer st = new StringTokenizer(s, "\n"); + StringBuffer buffer = new StringBuffer(); + + while (st.hasMoreTokens()) { + buffer.append(st.nextToken()); + buffer.append("\\n"); + } + return buffer.toString(); + } + + protected void refreshConfigAndValueNames() { + mConfigNames.removeAllElements(); + mValueNames.removeAllElements(); + } + + protected void deleteExtension(String name, X509CertInfo info) { + CertificateExtensions exts = null; + + try { + exts = (CertificateExtensions) + info.get(X509CertInfo.EXTENSIONS); + if (exts == null) + return; + Enumeration e = exts.getNames(); + + while (e.hasMoreElements()) { + String n = e.nextElement(); + Extension ext = (Extension) exts.get(n); + + if (ext.getExtensionId().toString().equals(name)) { + exts.delete(n); + } + } + } catch (Exception e) { + CMS.debug(e.toString()); + } + } + + protected Extension getExtension(String name, X509CertInfo info) { + CertificateExtensions exts = null; + + try { + exts = (CertificateExtensions) + info.get(X509CertInfo.EXTENSIONS); + } catch (Exception e) { + CMS.debug("EnrollDefault: getExtension " + e.toString()); + } + if (exts == null) + return null; + return getExtension(name, exts); + } + + protected Extension getExtension(String name, CertificateExtensions exts) { + if (exts == null) + return null; + Enumeration e = exts.getAttributes(); + + while (e.hasMoreElements()) { + Extension ext = e.nextElement(); + + if (ext.getExtensionId().toString().equals(name)) { + return ext; + } + } + return null; + } + + protected void addExtension(String name, Extension ext, X509CertInfo info) + throws EProfileException { + if (ext == null) { + throw new EProfileException("extension not found"); + } + CertificateExtensions exts = null; + + Extension alreadyPresentExtension = getExtension(name, info); + + if (alreadyPresentExtension != null) { + String eName = ext.toString(); + CMS.debug("EnrollDefault.addExtension: duplicate extension attempted! Name: " + eName); + throw new EProfileException(CMS.getUserMessage("CMS_PROFILE_DUPLICATE_EXTENSION", eName)); + } + + try { + exts = (CertificateExtensions) + info.get(X509CertInfo.EXTENSIONS); + } catch (Exception e) { + CMS.debug("EnrollDefault: " + e.toString()); + } + if (exts == null) { + throw new EProfileException("extensions not found"); + } + try { + exts.set(name, ext); + } catch (IOException e) { + CMS.debug("EnrollDefault: " + e.toString()); + } + } + + protected void replaceExtension(String name, Extension ext, X509CertInfo info) + throws EProfileException { + deleteExtension(name, info); + addExtension(name, ext, info); + } + + protected boolean isOptional(String value) { + return value.equals(""); + } + + protected boolean getBoolean(String value) { + return Boolean.valueOf(value).booleanValue(); + } + + protected int getInt(String value) { + return Integer.valueOf(value).intValue(); + } + + protected boolean getConfigBoolean(String value) { + return getBoolean(getConfig(value)); + } + + protected int getConfigInt(String value) { + return getInt(getConfig(value)); + } + + protected boolean isGeneralNameValid(String name) { + if (name == null) + return false; + int pos = name.indexOf(':'); + if (pos == -1) + return false; + String nameValue = name.substring(pos + 1).trim(); + if (nameValue.equals("")) + return false; + return true; + } + + protected GeneralNameInterface parseGeneralName(String name) + throws IOException { + int pos = name.indexOf(':'); + if (pos == -1) + return null; + String nameType = name.substring(0, pos).trim(); + String nameValue = name.substring(pos + 1).trim(); + return parseGeneralName(nameType, nameValue); + } + + protected boolean isGeneralNameType(String nameType) { + if (nameType.equalsIgnoreCase("RFC822Name")) { + return true; + } + if (nameType.equalsIgnoreCase("DNSName")) { + return true; + } + if (nameType.equalsIgnoreCase("x400")) { + return true; + } + if (nameType.equalsIgnoreCase("DirectoryName")) { + return true; + } + if (nameType.equalsIgnoreCase("EDIPartyName")) { + return true; + } + if (nameType.equalsIgnoreCase("URIName")) { + return true; + } + if (nameType.equalsIgnoreCase("IPAddress")) { + return true; + } + if (nameType.equalsIgnoreCase("OIDName")) { + return true; + } + if (nameType.equalsIgnoreCase("OtherName")) { + return true; + } + return false; + } + + protected GeneralNameInterface parseGeneralName(String nameType, String nameValue) + throws IOException { + if (nameType.equalsIgnoreCase("RFC822Name")) { + return new RFC822Name(nameValue); + } + if (nameType.equalsIgnoreCase("DNSName")) { + return new DNSName(nameValue); + } + if (nameType.equalsIgnoreCase("x400")) { + // XXX + } + if (nameType.equalsIgnoreCase("DirectoryName")) { + return new X500Name(nameValue); + } + if (nameType.equalsIgnoreCase("EDIPartyName")) { + return new EDIPartyName(nameValue); + } + if (nameType.equalsIgnoreCase("URIName")) { + return new URIName(nameValue); + } + if (nameType.equalsIgnoreCase("IPAddress")) { + CMS.debug("IP Value:" + nameValue); + if (nameValue.indexOf('/') != -1) { + // CIDR support for NameConstraintsExt + StringTokenizer st = new StringTokenizer(nameValue, "/"); + String addr = st.nextToken(); + String netmask = st.nextToken(); + CMS.debug("addr:" + addr + " netmask: " + netmask); + return new IPAddressName(addr, netmask); + } else { + return new IPAddressName(nameValue); + } + } + if (nameType.equalsIgnoreCase("OIDName")) { + try { + // check if OID + new ObjectIdentifier(nameValue); + } catch (Exception e) { + return null; + } + return new OIDName(nameValue); + } + if (nameType.equals("OtherName")) { + if (nameValue == null || nameValue.length() == 0) + nameValue = " "; + if (nameValue.startsWith("(PrintableString)")) { + // format: OtherName: (PrintableString)oid,value + int pos0 = nameValue.indexOf(')'); + int pos1 = nameValue.indexOf(','); + if (pos1 == -1) + return null; + String on_oid = nameValue.substring(pos0 + 1, pos1).trim(); + String on_value = nameValue.substring(pos1 + 1).trim(); + if (isValidOID(on_oid)) { + return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_PrintableString, on_value); + } else { + return null; + } + } else if (nameValue.startsWith("(KerberosName)")) { + // Syntax: (KerberosName)Realm|NameType|NameString(s) + int pos0 = nameValue.indexOf(')'); + int pos1 = nameValue.indexOf('|'); + int pos2 = nameValue.lastIndexOf('|'); + String realm = nameValue.substring(pos0 + 1, pos1).trim(); + String name_type = nameValue.substring(pos1 + 1, pos2).trim(); + String name_strings = nameValue.substring(pos2 + 1).trim(); + Vector strings = new Vector(); + StringTokenizer st = new StringTokenizer(name_strings, ","); + while (st.hasMoreTokens()) { + strings.addElement(st.nextToken()); + } + KerberosName name = new KerberosName(realm, + Integer.parseInt(name_type), strings); + // krb5 OBJECT IDENTIFIER ::= { iso (1) + // org (3) + // dod (6) + // internet (1) + // security (5) + // kerberosv5 (2) } + // krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } + return new OtherName(KerberosName.KRB5_PRINCIPAL_NAME, + name.toByteArray()); + } else if (nameValue.startsWith("(IA5String)")) { + int pos0 = nameValue.indexOf(')'); + int pos1 = nameValue.indexOf(','); + if (pos1 == -1) + return null; + String on_oid = nameValue.substring(pos0 + 1, pos1).trim(); + String on_value = nameValue.substring(pos1 + 1).trim(); + if (isValidOID(on_oid)) { + return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_IA5String, on_value); + } else { + return null; + } + } else if (nameValue.startsWith("(UTF8String)")) { + int pos0 = nameValue.indexOf(')'); + int pos1 = nameValue.indexOf(','); + if (pos1 == -1) + return null; + String on_oid = nameValue.substring(pos0 + 1, pos1).trim(); + String on_value = nameValue.substring(pos1 + 1).trim(); + if (isValidOID(on_oid)) { + return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_UTF8String, on_value); + } else { + return null; + } + } else if (nameValue.startsWith("(BMPString)")) { + int pos0 = nameValue.indexOf(')'); + int pos1 = nameValue.indexOf(','); + if (pos1 == -1) + return null; + String on_oid = nameValue.substring(pos0 + 1, pos1).trim(); + String on_value = nameValue.substring(pos1 + 1).trim(); + if (isValidOID(on_oid)) { + return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_BMPString, on_value); + } else { + return null; + } + } else if (nameValue.startsWith("(Any)")) { + int pos0 = nameValue.indexOf(')'); + int pos1 = nameValue.indexOf(','); + if (pos1 == -1) + return null; + String on_oid = nameValue.substring(pos0 + 1, pos1).trim(); + String on_value = nameValue.substring(pos1 + 1).trim(); + if (isValidOID(on_oid)) { + CMS.debug("OID: " + on_oid + " Value:" + on_value); + return new OtherName(new ObjectIdentifier(on_oid), getBytes(on_value)); + } else { + CMS.debug("Invalid OID " + on_oid); + return null; + } + } else { + return null; + } + } + return null; + } + + /** + * Converts string containing pairs of characters in the range of '0' + * to '9', 'a' to 'f' to an array of bytes such that each pair of + * characters in the string represents an individual byte + */ + public byte[] getBytes(String string) { + if (string == null) + return null; + int stringLength = string.length(); + if ((stringLength == 0) || ((stringLength % 2) != 0)) + return null; + byte[] bytes = new byte[(stringLength / 2)]; + for (int i = 0, b = 0; i < stringLength; i += 2, ++b) { + String nextByte = string.substring(i, (i + 2)); + bytes[b] = (byte) Integer.parseInt(nextByte, 0x10); + } + return bytes; + } + + /** + * Check if a object identifier in string form is valid, + * that is a string in the form n.n.n.n and der encode and decode-able. + * + * @param oid object identifier string. + * @return true if the oid is valid + */ + public boolean isValidOID(String oid) { + ObjectIdentifier v = null; + try { + v = ObjectIdentifier.getObjectIdentifier(oid); + } catch (Exception e) { + return false; + } + if (v == null) + return false; + + // if the OID isn't valid (ex. n.n) the error isn't caught til + // encoding time leaving a bad request in the request queue. + try { + DerOutputStream derOut = new DerOutputStream(); + + derOut.putOID(v); + new ObjectIdentifier(new DerInputStream(derOut.toByteArray())); + } catch (Exception e) { + return false; + } + return true; + } + + protected String buildRecords(Vector recs) throws EPropertyException { + StringBuffer sb = new StringBuffer(); + + for (int i = 0; i < recs.size(); i++) { + NameValuePairs pairs = recs.elementAt(i); + + sb.append("Record #"); + sb.append(i); + sb.append("\r\n"); + + for (String key : pairs.keySet()) { + String val = pairs.get(key); + + sb.append(key); + sb.append(":"); + sb.append(val); + sb.append("\r\n"); + } + sb.append("\r\n"); + + } + return sb.toString(); + } + + protected Vector parseRecords(String value) throws EPropertyException { + StringTokenizer st = new StringTokenizer(value, "\r\n"); + int num = 0; + Vector v = new Vector(); + NameValuePairs nvps = null; + + while (st.hasMoreTokens()) { + String token = st.nextToken(); + + if (token.equals("Record #" + num)) { + CMS.debug("parseRecords: Record" + num); + nvps = new NameValuePairs(); + v.addElement(nvps); + try { + token = st.nextToken(); + } catch (NoSuchElementException e) { + v.removeElementAt(num); + CMS.debug(e.toString()); + return v; + } + num++; + } + + if (nvps == null) + throw new EPropertyException("Bad Input Format"); + + int pos = token.indexOf(":"); + + if (pos <= 0) { + CMS.debug("parseRecords: No colon found in the input line"); + throw new EPropertyException("Bad Input Format"); + } else { + if (pos == (token.length() - 1)) { + nvps.put(token.substring(0, pos), ""); + } else { + nvps.put(token.substring(0, pos), token.substring(pos + 1)); + } + } + } + + return v; + } + + protected String getGeneralNameType(GeneralName gn) + throws EPropertyException { + int type = gn.getType(); + + if (type == GeneralNameInterface.NAME_RFC822) + return "RFC822Name"; + else if (type == GeneralNameInterface.NAME_DNS) + return "DNSName"; + else if (type == GeneralNameInterface.NAME_URI) + return "URIName"; + else if (type == GeneralNameInterface.NAME_IP) + return "IPAddress"; + else if (type == GeneralNameInterface.NAME_DIRECTORY) + return "DirectoryName"; + else if (type == GeneralNameInterface.NAME_EDI) + return "EDIPartyName"; + else if (type == GeneralNameInterface.NAME_ANY) + return "OtherName"; + else if (type == GeneralNameInterface.NAME_OID) + return "OIDName"; + + throw new EPropertyException("Unsupported type: " + type); + } + + protected String getGeneralNameValue(GeneralName gn) throws EPropertyException { + String s = gn.toString(); + int type = gn.getType(); + + if (type == GeneralNameInterface.NAME_DIRECTORY) + return s; + else { + int pos = s.indexOf(":"); + + if (pos <= 0) + throw new EPropertyException("Badly formatted general name: " + s); + else { + return s.substring(pos + 1).trim(); + } + } + } + + public Locale getLocale(IRequest request) { + Locale locale = null; + + if (request == null) + return null; + + String language = request.getExtDataInString( + EnrollProfile.REQUEST_LOCALE); + if (language != null) { + locale = new Locale(language); + } + return locale; + } + + public String toGeneralNameString(GeneralNameInterface gn) { + int type = gn.getType(); + // Sun's General Name is not consistent, so we need + // to do a special case for directory string + if (type == GeneralNameInterface.NAME_DIRECTORY) { + return "DirectoryName: " + gn.toString(); + } + return gn.toString(); + } + + protected String mapPattern(IRequest request, String pattern) + throws IOException { + Pattern p = new Pattern(pattern); + IAttrSet attrSet = null; + if (request != null) { + attrSet = request.asIAttrSet(); + } + return p.substitute2("request", attrSet); + } + + protected StringBuffer escapeValueRfc1779(String v, boolean doubleEscape) { + StringBuffer result = new StringBuffer(); + + // Do we need to escape any characters + for (int i = 0; i < v.length(); i++) { + int c = v.charAt(i); + if (c == ',' || c == '=' || c == '+' || c == '<' || + c == '>' || c == '#' || c == ';' || c == '\r' || + c == '\n' || c == '\\' || c == '"') { + if ((c == 0x5c) && ((i + 1) < v.length())) { + int nextC = v.charAt(i + 1); + if ((c == 0x5c) && (nextC == ',' || nextC == '=' || nextC == '+' || + nextC == '<' || nextC == '>' || nextC == '#' || + nextC == ';' || nextC == '\r' || nextC == '\n' || + nextC == '\\' || nextC == '"')) { + if (doubleEscape) + result.append('\\'); + } else { + result.append('\\'); + if (doubleEscape) + result.append('\\'); + } + } else { + result.append('\\'); + if (doubleEscape) + result.append('\\'); + } + } + if (c == '\r') { + result.append("0D"); + } else if (c == '\n') { + result.append("0A"); + } else { + result.append((char) c); + } + } + return result; + } + +} diff --git a/base/common/src/com/netscape/cms/profile/def/EnrollExtDefault.java b/base/common/src/com/netscape/cms/profile/def/EnrollExtDefault.java new file mode 100644 index 000000000..24f79cdec --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/EnrollExtDefault.java @@ -0,0 +1,28 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +/** + * This class implements an enrollment extension + * default policy that extension into the certificate + * template. + * + * @version $Revision$, $Date$ + */ +public abstract class EnrollExtDefault extends EnrollDefault { +} diff --git a/base/common/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java b/base/common/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java new file mode 100644 index 000000000..f1d63a348 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/ExtendedKeyUsageExtDefault.java @@ -0,0 +1,250 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.StringTokenizer; + +import netscape.security.extensions.ExtendedKeyUsageExtension; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates Extended Key Usage extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class ExtendedKeyUsageExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "exKeyUsageCritical"; + public static final String CONFIG_OIDS = "exKeyUsageOIDs"; + + public static final String VAL_CRITICAL = "exKeyUsageCritical"; + public static final String VAL_OIDS = "exKeyUsageOIDs"; + + public ExtendedKeyUsageExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_OIDS); + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_OIDS); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_OIDS)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_OIDS")); + } + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_OIDS)) { + return new Descriptor(IDescriptor.STRING_LIST, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_OIDS")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + ExtendedKeyUsageExtension ext = null; + + ext = (ExtendedKeyUsageExtension) + getExtension(ExtendedKeyUsageExtension.OID, info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_CRITICAL)) { + ext = (ExtendedKeyUsageExtension) + getExtension(ExtendedKeyUsageExtension.OID, info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_OIDS)) { + ext = (ExtendedKeyUsageExtension) + getExtension(ExtendedKeyUsageExtension.OID, info); + // ext.deleteAllOIDs(); + StringTokenizer st = new StringTokenizer(value, ","); + + if (ext == null) { + return; + } + while (st.hasMoreTokens()) { + String oid = st.nextToken(); + + ext.addOID(new ObjectIdentifier(oid)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + try { + replaceExtension(ExtendedKeyUsageExtension.OID, ext, info); + } catch (EProfileException e) { + CMS.debug("ExtendedKeyUsageExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ExtendedKeyUsageExtension ext = (ExtendedKeyUsageExtension) + getExtension(ExtendedKeyUsageExtension.OID, info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (ExtendedKeyUsageExtension) + getExtension(ExtendedKeyUsageExtension.OID, info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_OIDS)) { + ext = (ExtendedKeyUsageExtension) + getExtension(ExtendedKeyUsageExtension.OID, info); + StringBuffer sb = new StringBuffer(); + if (ext == null) { + return ""; + } + Enumeration e = ext.getOIDs(); + + while (e.hasMoreElements()) { + ObjectIdentifier oid = e.nextElement(); + + if (!sb.toString().equals("")) { + sb.append(","); + } + sb.append(oid.toString()); + } + return sb.toString(); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_OIDS) + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_DEF_EXTENDED_KEY_EXT", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + ExtendedKeyUsageExtension ext = createExtension(); + + addExtension(ExtendedKeyUsageExtension.OID, ext, info); + } + + public ExtendedKeyUsageExtension createExtension() { + ExtendedKeyUsageExtension ext = null; + + try { + ext = new ExtendedKeyUsageExtension(); + } catch (Exception e) { + CMS.debug("ExtendedKeyUsageExtDefault: createExtension " + + e.toString()); + } + if (ext == null) + return null; + boolean critical = getBoolean(getConfig(CONFIG_CRITICAL)); + + ext.setCritical(critical); + StringTokenizer st = new StringTokenizer(getConfig(CONFIG_OIDS), ","); + + while (st.hasMoreTokens()) { + String oid = st.nextToken(); + + ext.addOID(new ObjectIdentifier(oid)); + } + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/FreshestCRLExtDefault.java b/base/common/src/com/netscape/cms/profile/def/FreshestCRLExtDefault.java new file mode 100644 index 000000000..acbbd1089 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/FreshestCRLExtDefault.java @@ -0,0 +1,584 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.x509.CRLDistributionPoint; +import netscape.security.x509.FreshestCRLExtension; +import netscape.security.x509.GeneralName; +import netscape.security.x509.GeneralNames; +import netscape.security.x509.GeneralNamesException; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates Freshest CRL extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class FreshestCRLExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "freshestCRLCritical"; + public static final String CONFIG_NUM_POINTS = "freshestCRLPointNum"; + public static final String CONFIG_POINT_TYPE = "freshestCRLPointType_"; + public static final String CONFIG_POINT_NAME = "freshestCRLPointName_"; + public static final String CONFIG_ISSUER_TYPE = "freshestCRLPointIssuerType_"; + public static final String CONFIG_ISSUER_NAME = "freshestCRLPointIssuerName_"; + public static final String CONFIG_ENABLE = "freshestCRLPointEnable_"; + + public static final String VAL_CRITICAL = "freshestCRLCritical"; + public static final String VAL_CRL_DISTRIBUTION_POINTS = + "freshestCRLPointsValue"; + + private static final String POINT_TYPE = "Point Type"; + private static final String POINT_NAME = "Point Name"; + private static final String ISSUER_TYPE = "Issuer Type"; + private static final String ISSUER_NAME = "Issuer Name"; + private static final String ENABLE = "Enable"; + + private static final int DEF_NUM_POINTS = 1; + private static final int MAX_NUM_POINTS = 100; + + public FreshestCRLExtDefault() { + super(); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + refreshConfigAndValueNames(); + } + + protected int getNumPoints() { + int num = DEF_NUM_POINTS; + String val = getConfig(CONFIG_NUM_POINTS); + + if (val != null) { + try { + num = Integer.parseInt(val); + } catch (NumberFormatException e) { + // ignore + } + } + + if (num >= MAX_NUM_POINTS) + num = DEF_NUM_POINTS; + + return num; + } + + public void setConfig(String name, String value) + throws EPropertyException { + int num = 0; + if (name.equals(CONFIG_NUM_POINTS)) { + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_POINTS || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_POINTS)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_POINTS)); + } + } + super.setConfig(name, value); + } + + public Enumeration getConfigNames() { + refreshConfigAndValueNames(); + return super.getConfigNames(); + } + + protected void refreshConfigAndValueNames() { + //refesh our config name list + + super.refreshConfigAndValueNames(); + addValueName(VAL_CRITICAL); + addValueName(VAL_CRL_DISTRIBUTION_POINTS); + + addConfigName(CONFIG_CRITICAL); + int num = getNumPoints(); + + addConfigName(CONFIG_NUM_POINTS); + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_POINT_TYPE + i); + addConfigName(CONFIG_POINT_NAME + i); + addConfigName(CONFIG_ISSUER_TYPE + i); + addConfigName(CONFIG_ISSUER_NAME + i); + addConfigName(CONFIG_ENABLE + i); + } + + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.startsWith(CONFIG_POINT_TYPE)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POINT_TYPE")); + } else if (name.startsWith(CONFIG_POINT_NAME)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_POINT_NAME")); + } else if (name.startsWith(CONFIG_ISSUER_TYPE)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_TYPE")); + } else if (name.startsWith(CONFIG_ISSUER_NAME)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_NAME")); + } else if (name.startsWith(CONFIG_ENABLE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE")); + } else if (name.startsWith(CONFIG_NUM_POINTS)) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_DIST_POINTS")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_CRL_DISTRIBUTION_POINTS")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + FreshestCRLExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (FreshestCRLExtension) + getExtension(FreshestCRLExtension.OID, + info); + + if (ext == null) { + populate(locale, info); + } + + if (name.equals(VAL_CRITICAL)) { + ext = (FreshestCRLExtension) + getExtension(FreshestCRLExtension.OID, + info); + boolean val = Boolean.valueOf(value).booleanValue(); + + ext.setCritical(val); + } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) { + ext = (FreshestCRLExtension) + getExtension(FreshestCRLExtension.OID, + info); + + Vector v = parseRecords(value); + int size = v.size(); + + boolean critical = ext.isCritical(); + int i = 0; + + for (; i < size; i++) { + NameValuePairs nvps = v.elementAt(i); + String pointType = null; + String pointValue = null; + String issuerType = null; + String issuerValue = null; + String enable = null; + CRLDistributionPoint cdp = new CRLDistributionPoint(); + + for (String name1 : nvps.keySet()) { + + if (name1.equals(POINT_TYPE)) { + pointType = nvps.get(name1); + } else if (name1.equals(POINT_NAME)) { + pointValue = nvps.get(name1); + } else if (name1.equals(ISSUER_TYPE)) { + issuerType = nvps.get(name1); + } else if (name1.equals(ISSUER_NAME)) { + issuerValue = nvps.get(name1); + } else if (name1.equals(ENABLE)) { + enable = nvps.get(name1); + } + } + + if (enable != null && enable.equals("true")) { + if (pointType != null) + addCRLPoint(locale, cdp, pointType, pointValue); + if (issuerType != null) + addIssuer(locale, cdp, issuerType, issuerValue); + + // this is the first distribution point + if (i == 0) { + ext = new FreshestCRLExtension(cdp); + ext.setCritical(critical); + } else { + ext.addPoint(cdp); + } + } + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(PKIXExtensions.FreshestCRL_Id.toString(), + ext, info); + } catch (EProfileException e) { + CMS.debug("FreshestCRLExtDefault: setValue " + + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + private void addCRLPoint(Locale locale, CRLDistributionPoint cdp, String type, + String value) throws EPropertyException { + try { + if (value == null || value.length() == 0) + return; + + if (isGeneralNameType(type)) { + GeneralNames gen = new GeneralNames(); + + gen.addElement(parseGeneralName(type, value)); + cdp.setFullName(gen); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", type)); + } + } catch (IOException e) { + CMS.debug("FreshestCRLExtDefault: addCRLPoint " + + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", type)); + } catch (GeneralNamesException e) { + CMS.debug("FreshestCRLExtDefault: addCRLPoint " + + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", type)); + } + } + + private void addIssuer(Locale locale, CRLDistributionPoint cdp, String type, + String value) throws EPropertyException { + if (value == null || value.length() == 0) + return; + try { + if (isGeneralNameType(type)) { + GeneralNames gen = new GeneralNames(); + + gen.addElement(parseGeneralName(type, value)); + cdp.setCRLIssuer(gen); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", type)); + } + } catch (IOException e) { + CMS.debug("FreshestCRLExtDefault: addIssuer " + + e.toString()); + } catch (GeneralNamesException e) { + CMS.debug("FreshestCRLExtDefault: addIssuer " + + e.toString()); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + FreshestCRLExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (FreshestCRLExtension) + getExtension(FreshestCRLExtension.OID, + info); + if (ext == null) { + try { + populate(locale, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (FreshestCRLExtension) + getExtension(FreshestCRLExtension.OID, + info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_CRL_DISTRIBUTION_POINTS)) { + ext = (FreshestCRLExtension) + getExtension(FreshestCRLExtension.OID, + info); + + if (ext == null) + return ""; + + Vector recs = new Vector(); + int num = getNumPoints(); + for (int i = 0; i < num; i++) { + NameValuePairs pairs = null; + + if (i < ext.getNumPoints()) { + CRLDistributionPoint p = ext.getPointAt(i); + GeneralNames gns = p.getFullName(); + + pairs = buildGeneralNames(gns, p); + } else { + pairs = buildEmptyGeneralNames(); + } + recs.addElement(pairs); + } + + return buildRecords(recs); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + protected NameValuePairs buildEmptyGeneralNames() { + NameValuePairs pairs = new NameValuePairs(); + + pairs.put(POINT_TYPE, ""); + pairs.put(POINT_NAME, ""); + pairs.put(ISSUER_TYPE, ""); + pairs.put(ISSUER_NAME, ""); + pairs.put(ENABLE, "false"); + return pairs; + } + + protected NameValuePairs buildGeneralNames(GeneralNames gns, CRLDistributionPoint p) + throws EPropertyException { + + NameValuePairs pairs = new NameValuePairs(); + + boolean hasFullName = false; + + pairs.put(ENABLE, "true"); + if (gns == null) { + pairs.put(POINT_TYPE, ""); + pairs.put(POINT_NAME, ""); + } else { + GeneralName gn = (GeneralName) gns.elementAt(0); + + if (gn != null) { + hasFullName = true; + + pairs.put(POINT_TYPE, getGeneralNameType(gn)); + pairs.put(POINT_NAME, getGeneralNameValue(gn)); + } + } + + if (!hasFullName) { + pairs.put(POINT_TYPE, GN_DIRECTORY_NAME); + pairs.put(POINT_NAME, ""); + } + + gns = p.getCRLIssuer(); + + if (gns == null) { + pairs.put(ISSUER_TYPE, GN_DIRECTORY_NAME); + pairs.put(ISSUER_NAME, ""); + } else { + GeneralName gn = (GeneralName) gns.elementAt(0); + + if (gn != null) { + hasFullName = true; + + pairs.put(ISSUER_TYPE, getGeneralNameType(gn)); + pairs.put(ISSUER_NAME, getGeneralNameValue(gn)); + } + } + return pairs; + } + + public String getText(Locale locale) { + StringBuffer sb = new StringBuffer(); + int num = getNumPoints(); + + for (int i = 0; i < num; i++) { + sb.append("Record #"); + sb.append(i); + sb.append("{"); + sb.append(POINT_TYPE + ":"); + sb.append(getConfig(CONFIG_POINT_TYPE + i)); + sb.append(","); + sb.append(POINT_NAME + ":"); + sb.append(getConfig(CONFIG_POINT_NAME + i)); + sb.append(","); + sb.append(ISSUER_TYPE + ":"); + sb.append(getConfig(CONFIG_ISSUER_TYPE + i)); + sb.append(","); + sb.append(ISSUER_NAME + ":"); + sb.append(getConfig(CONFIG_ISSUER_NAME + i)); + sb.append(","); + sb.append(ENABLE + ":"); + sb.append(getConfig(CONFIG_ENABLE + i)); + sb.append("}"); + } + return CMS.getUserMessage(locale, + "CMS_PROFILE_DEF_FRESHEST_CRL_EXT", + getConfig(CONFIG_CRITICAL), + sb.toString()); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + FreshestCRLExtension ext = createExtension(request); + + if (ext == null) + return; + addExtension(FreshestCRLExtension.OID, ext, info); + } + + public FreshestCRLExtension createExtension(IRequest request) { + FreshestCRLExtension ext = new FreshestCRLExtension(); + int num = 0; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + ext.setCritical(critical); + + num = getNumPoints(); + for (int i = 0; i < num; i++) { + CRLDistributionPoint cdp = new CRLDistributionPoint(); + + String enable = getConfig(CONFIG_ENABLE + i); + String pointType = getConfig(CONFIG_POINT_TYPE + i); + String pointName = getConfig(CONFIG_POINT_NAME + i); + String issuerType = getConfig(CONFIG_ISSUER_TYPE + i); + String issuerName = getConfig(CONFIG_ISSUER_NAME + i); + + if (enable != null && enable.equals("true")) { + if (pointType != null) + addCRLPoint(getLocale(request), cdp, pointType, pointName); + if (issuerType != null) + addIssuer(getLocale(request), cdp, issuerType, issuerName); + + ext.addPoint(cdp); + } + } + } catch (Exception e) { + CMS.debug("FreshestCRLExtDefault: createExtension " + + e.toString()); + } + + return ext; + } + + /** + * Populates the request with this policy default. + */ + private void populate(Locale locale, X509CertInfo info) + throws EProfileException { + FreshestCRLExtension ext = createExtension(locale); + + if (ext == null) + return; + addExtension(FreshestCRLExtension.OID, ext, info); + } + + public FreshestCRLExtension createExtension(Locale locale) { + FreshestCRLExtension ext = new FreshestCRLExtension(); + int num = 0; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + ext.setCritical(critical); + + num = getNumPoints(); + for (int i = 0; i < num; i++) { + CRLDistributionPoint cdp = new CRLDistributionPoint(); + + String enable = getConfig(CONFIG_ENABLE + i); + String pointType = getConfig(CONFIG_POINT_TYPE + i); + String pointName = getConfig(CONFIG_POINT_NAME + i); + String issuerType = getConfig(CONFIG_ISSUER_TYPE + i); + String issuerName = getConfig(CONFIG_ISSUER_NAME + i); + + if (enable != null && enable.equals("true")) { + if (pointType != null) + addCRLPoint(locale, cdp, pointType, pointName); + if (issuerType != null) + addIssuer(locale, cdp, issuerType, issuerName); + + ext.addPoint(cdp); + } + } + } catch (Exception e) { + CMS.debug("FreshestCRLExtDefault: createExtension " + + e.toString()); + } + + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/GenericExtDefault.java b/base/common/src/com/netscape/cms/profile/def/GenericExtDefault.java new file mode 100644 index 000000000..1797091b7 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/GenericExtDefault.java @@ -0,0 +1,260 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.util.Locale; + +import netscape.security.util.DerOutputStream; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.Extension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a Netscape comment extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class GenericExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "genericExtCritical"; + public static final String CONFIG_OID = "genericExtOID"; + public static final String CONFIG_DATA = "genericExtData"; + + public static final String VAL_CRITICAL = "genericExtCritical"; + public static final String VAL_DATA = "genericExtData"; + + public GenericExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_DATA); + + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_OID); + addConfigName(CONFIG_DATA); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_OID)) { + return new Descriptor(IDescriptor.STRING, null, + "Comment Here...", + CMS.getUserMessage(locale, "CMS_PROFILE_OID")); + } else if (name.equals(CONFIG_DATA)) { + return new Descriptor(IDescriptor.STRING, null, + "Comment Here...", + CMS.getUserMessage(locale, "CMS_PROFILE_EXT_VALUE")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_DATA)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_EXT_VALUE")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + Extension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ObjectIdentifier oid = new ObjectIdentifier(getConfig(CONFIG_OID)); + + ext = (Extension) + getExtension(oid.toString(), info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + ext = (Extension) + getExtension(oid.toString(), info); + if (ext == null) { + return; + } + boolean val = Boolean.valueOf(value).booleanValue(); + ext.setCritical(val); + } else if (name.equals(VAL_DATA)) { + ext = (Extension) + getExtension(oid.toString(), info); + if (ext == null) { + return; + } + byte data[] = getBytes(value); + ext.setExtensionValue(data); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(ext.getExtensionId().toString(), ext, info); + } catch (EProfileException e) { + CMS.debug("GenericExtDefault: setValue " + e.toString()); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + Extension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ObjectIdentifier oid = new ObjectIdentifier(getConfig(CONFIG_OID)); + + ext = (Extension) + getExtension(oid.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + + ext = (Extension) + getExtension(oid.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_DATA)) { + + ext = (Extension) + getExtension(oid.toString(), info); + + if (ext == null) + return ""; + + byte data[] = ext.getExtensionValue(); + + if (data == null) + return ""; + + return toStr(data); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_OID), + getConfig(CONFIG_DATA) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_GENERIC_EXT", params); + } + + public String toStr(byte data[]) { + StringBuffer b = new StringBuffer(); + for (int i = 0; i < data.length; i++) { + if ((data[i] & 0xff) < 16) { + b.append("0"); + } + b.append(Integer.toString((int) (data[i] & 0xff), 0x10)); + } + return b.toString(); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + Extension ext = createExtension(request); + + addExtension(ext.getExtensionId().toString(), ext, info); + } + + public Extension createExtension(IRequest request) { + Extension ext = null; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + ObjectIdentifier oid = new ObjectIdentifier(getConfig(CONFIG_OID)); + byte data[] = null; + + if (request == null) { + data = getBytes(getConfig(CONFIG_DATA)); + } else { + data = getBytes(mapPattern(request, getConfig(CONFIG_DATA))); + } + + DerOutputStream out = new DerOutputStream(); + out.putOctetString(data); + + ext = new Extension(oid, critical, out.toByteArray()); + } catch (Exception e) { + CMS.debug("GenericExtDefault: createExtension " + + e.toString()); + } + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/ImageDefault.java b/base/common/src/com/netscape/cms/profile/def/ImageDefault.java new file mode 100644 index 000000000..16a7ac402 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/ImageDefault.java @@ -0,0 +1,105 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.util.Locale; + +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that shows an image in the approval page. + * + * @version $Revision$, $Date$ + */ +public class ImageDefault extends EnrollDefault { + + public static final String INPUT_IMAGE_URL = "image_url"; + + public static final String VAL_IMAGE_URL = "pd_image_url"; + + public ImageDefault() { + super(); + addValueName(VAL_IMAGE_URL); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_IMAGE_URL)) { + return new Descriptor(IDescriptor.IMAGE_URL, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_IMAGE")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + } + + public String getValue(String name, Locale locale, IRequest request) + throws EPropertyException { + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + if (name.equals(VAL_IMAGE_URL)) { + return request.getExtDataInString(INPUT_IMAGE_URL); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + return null; + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_IMAGE"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/InhibitAnyPolicyExtDefault.java b/base/common/src/com/netscape/cms/profile/def/InhibitAnyPolicyExtDefault.java new file mode 100644 index 000000000..97cfb3ff4 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/InhibitAnyPolicyExtDefault.java @@ -0,0 +1,271 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.math.BigInteger; +import java.util.Locale; + +import netscape.security.extensions.InhibitAnyPolicyExtension; +import netscape.security.util.BigInt; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an inhibit Any-Policy extension + * + * @version $Revision$, $Date$ + */ +public class InhibitAnyPolicyExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "critical"; + public static final String CONFIG_SKIP_CERTS = "skipCerts"; + + public static final String VAL_CRITICAL = "critical"; + public static final String VAL_SKIP_CERTS = "skipCerts"; + + private static final String SKIP_CERTS = "Skip Certs"; + private static final String GN_PATTERN = "Pattern"; + + public InhibitAnyPolicyExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_SKIP_CERTS); + + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_SKIP_CERTS); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "true", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.startsWith(CONFIG_SKIP_CERTS)) { + return new Descriptor(IDescriptor.INTEGER, null, "0", + CMS.getUserMessage(locale, "CMS_PROFILE_SKIP_CERTS")); + } else { + return null; + } + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_SKIP_CERTS)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_SKIP_CERTS)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, "true", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_SKIP_CERTS)) { + return new Descriptor(IDescriptor.INTEGER, null, "0", + CMS.getUserMessage(locale, "CMS_PROFILE_SKIP_CERTS")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + InhibitAnyPolicyExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (InhibitAnyPolicyExtension) + getExtension(InhibitAnyPolicyExtension.OID, info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + ext = (InhibitAnyPolicyExtension) + getExtension(InhibitAnyPolicyExtension.OID, info); + + if (ext == null) { + // it is ok, the extension is never populated or delted + return; + } + boolean critical = Boolean.valueOf(value).booleanValue(); + + ext.setCritical(critical); + } else if (name.equals(VAL_SKIP_CERTS)) { + ext = (InhibitAnyPolicyExtension) + getExtension(InhibitAnyPolicyExtension.OID, info); + + if (ext == null) { + // it is ok, the extension is never populated or delted + return; + } + boolean critical = ext.isCritical(); + if (value.equals("")) { + // if value is empty, do not add this extension + deleteExtension(InhibitAnyPolicyExtension.OID, info); + return; + } + BigInt num = null; + try { + BigInteger l = new BigInteger(value); + num = new BigInt(l); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + ext = new InhibitAnyPolicyExtension(critical, + num); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + replaceExtension(InhibitAnyPolicyExtension.OID, ext, info); + } catch (EProfileException e) { + CMS.debug("InhibitAnyPolicyExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + InhibitAnyPolicyExtension ext = + (InhibitAnyPolicyExtension) + getExtension(InhibitAnyPolicyExtension.OID, info); + + if (ext == null) { + try { + populate(null, info); + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + if (name.equals(VAL_CRITICAL)) { + ext = (InhibitAnyPolicyExtension) + getExtension(InhibitAnyPolicyExtension.OID, info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_SKIP_CERTS)) { + ext = (InhibitAnyPolicyExtension) + getExtension(InhibitAnyPolicyExtension.OID, info); + if (ext == null) { + return null; + } + + BigInt n = ext.getSkipCerts(); + return "" + n.toInt(); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + /* + * returns text that goes into description for this extension on + * a profile + */ + public String getText(Locale locale) { + StringBuffer sb = new StringBuffer(); + sb.append(SKIP_CERTS + ":"); + sb.append(getConfig(CONFIG_SKIP_CERTS)); + + return CMS.getUserMessage(locale, + "CMS_PROFILE_DEF_INHIBIT_ANY_POLICY_EXT", + getConfig(CONFIG_CRITICAL), sb.toString()); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + InhibitAnyPolicyExtension ext = null; + + ext = createExtension(request); + addExtension(InhibitAnyPolicyExtension.OID, ext, info); + } + + public InhibitAnyPolicyExtension createExtension(IRequest request) + throws EProfileException { + InhibitAnyPolicyExtension ext = null; + + boolean critical = Boolean.valueOf( + getConfig(CONFIG_CRITICAL)).booleanValue(); + + String str = getConfig(CONFIG_SKIP_CERTS); + if (str == null || str.equals("")) { + ext = new InhibitAnyPolicyExtension(); + ext.setCritical(critical); + } else { + BigInt val = null; + try { + BigInteger b = new BigInteger(str); + val = new BigInt(b); + } catch (NumberFormatException e) { + throw new EProfileException( + CMS.getUserMessage("CMS_PROFILE_INHIBIT_ANY_POLICY_WRONG_SKIP_CERTS")); + } + + try { + ext = new InhibitAnyPolicyExtension(critical, val); + } catch (Exception e) { + CMS.debug(e.toString()); + } + } + + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java b/base/common/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java new file mode 100644 index 000000000..251d8a3e7 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java @@ -0,0 +1,317 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.StringTokenizer; + +import netscape.security.x509.GeneralName; +import netscape.security.x509.GeneralNameInterface; +import netscape.security.x509.GeneralNames; +import netscape.security.x509.IssuerAlternativeNameExtension; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a issuer alternative name extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class IssuerAltNameExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "issuerAltNameExtCritical"; + public static final String CONFIG_TYPE = "issuerAltExtType"; + public static final String CONFIG_PATTERN = "issuerAltExtPattern"; + + public static final String VAL_CRITICAL = "issuerAltNameExtCritical"; + public static final String VAL_GENERAL_NAMES = "issuerAltNames"; + + public IssuerAltNameExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_GENERAL_NAMES); + + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_TYPE); + addConfigName(CONFIG_PATTERN); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_TYPE)) { + return new Descriptor(IDescriptor.CHOICE, + "RFC822Name,DNSName,DirectoryName,EDIPartyName,URIName,IPAddress,OIDName", + "RFC822Name", + CMS.getUserMessage(locale, + "CMS_PROFILE_ISSUER_ALT_NAME_TYPE")); + } else if (name.equals(CONFIG_PATTERN)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_ISSUER_ALT_NAME_PATTERN")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_GENERAL_NAMES)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_GENERAL_NAMES")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + IssuerAlternativeNameExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = + (IssuerAlternativeNameExtension) + getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = + (IssuerAlternativeNameExtension) + getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info); + + if (ext == null) { + // it is ok, the extension is never populated or delted + return; + } + boolean critical = Boolean.valueOf(value).booleanValue(); + + ext.setCritical(critical); + } else if (name.equals(VAL_GENERAL_NAMES)) { + ext = + (IssuerAlternativeNameExtension) + getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info); + + if (ext == null) { + // it is ok, the extension is never populated or delted + return; + } + if (value.equals("")) { + // if value is empty, do not add this extension + deleteExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info); + return; + } + GeneralNames gn = new GeneralNames(); + StringTokenizer st = new StringTokenizer(value, "\r\n"); + + while (st.hasMoreTokens()) { + String gname = (String) st.nextToken(); + + GeneralNameInterface n = parseGeneralName(gname); + if (n != null) { + gn.addElement(n); + } + } + ext.set(IssuerAlternativeNameExtension.ISSUER_NAME, gn); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + replaceExtension( + PKIXExtensions.IssuerAlternativeName_Id.toString(), + ext, info); + } catch (IOException e) { + CMS.debug("IssuerAltNameExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (EProfileException e) { + CMS.debug("IssuerAltNameExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + try { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + IssuerAlternativeNameExtension ext = + (IssuerAlternativeNameExtension) + getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info); + + if (ext == null) { + + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = + (IssuerAlternativeNameExtension) + getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_GENERAL_NAMES)) { + ext = + (IssuerAlternativeNameExtension) + getExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), info); + if (ext == null) { + return ""; + } + + GeneralNames names = (GeneralNames) + ext.get(IssuerAlternativeNameExtension.ISSUER_NAME); + StringBuffer sb = new StringBuffer(); + Enumeration e = names.elements(); + + while (e.hasMoreElements()) { + GeneralName gn = (GeneralName) e.nextElement(); + + if (!sb.toString().equals("")) { + sb.append("\r\n"); + } + sb.append(toGeneralNameString(gn)); + } + return sb.toString(); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } catch (IOException e) { + CMS.debug("IssuerAltNameExtDefault: getValue " + + e.toString()); + } + return null; + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_PATTERN), + getConfig(CONFIG_TYPE) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_ISSUER_ALT_NAME_EXT", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + IssuerAlternativeNameExtension ext = null; + + try { + ext = createExtension(request); + + } catch (IOException e) { + CMS.debug("IssuerAltNameExtDefault: populate " + e.toString()); + } + addExtension(PKIXExtensions.IssuerAlternativeName_Id.toString(), + ext, info); + } + + public IssuerAlternativeNameExtension createExtension(IRequest request) + throws IOException { + IssuerAlternativeNameExtension ext = null; + + try { + ext = new IssuerAlternativeNameExtension(); + } catch (Exception e) { + CMS.debug(e.toString()); + throw new IOException(e.toString()); + } + boolean critical = Boolean.valueOf( + getConfig(CONFIG_CRITICAL)).booleanValue(); + String pattern = getConfig(CONFIG_PATTERN); + + if (!pattern.equals("")) { + GeneralNames gn = new GeneralNames(); + + String gname = ""; + + if (request != null) { + gname = mapPattern(request, pattern); + } + + gn.addElement(parseGeneralName( + getConfig(CONFIG_TYPE) + ":" + gname)); + ext.set(IssuerAlternativeNameExtension.ISSUER_NAME, gn); + } + ext.setCritical(critical); + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/KeyUsageExtDefault.java b/base/common/src/com/netscape/cms/profile/def/KeyUsageExtDefault.java new file mode 100644 index 000000000..1bfda9ad9 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/KeyUsageExtDefault.java @@ -0,0 +1,511 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.KeyUsageExtension; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a Key Usage extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class KeyUsageExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "keyUsageCritical"; + public static final String CONFIG_DIGITAL_SIGNATURE = + "keyUsageDigitalSignature"; + public static final String CONFIG_NON_REPUDIATION = + "keyUsageNonRepudiation"; + public static final String CONFIG_KEY_ENCIPHERMENT = + "keyUsageKeyEncipherment"; + public static final String CONFIG_DATA_ENCIPHERMENT = + "keyUsageDataEncipherment"; + public static final String CONFIG_KEY_AGREEMENT = "keyUsageKeyAgreement"; + public static final String CONFIG_KEY_CERTSIGN = "keyUsageKeyCertSign"; + public static final String CONFIG_CRL_SIGN = "keyUsageCrlSign"; + public static final String CONFIG_ENCIPHER_ONLY = "keyUsageEncipherOnly"; + public static final String CONFIG_DECIPHER_ONLY = "keyUsageDecipherOnly"; + + public static final String VAL_CRITICAL = "keyUsageCritical"; + public static final String VAL_DIGITAL_SIGNATURE = + "keyUsageDigitalSignature"; + public static final String VAL_NON_REPUDIATION = + "keyUsageNonRepudiation"; + public static final String VAL_KEY_ENCIPHERMENT = + "keyUsageKeyEncipherment"; + public static final String VAL_DATA_ENCIPHERMENT = + "keyUsageDataEncipherment"; + public static final String VAL_KEY_AGREEMENT = "keyUsageKeyAgreement"; + public static final String VAL_KEY_CERTSIGN = "keyUsageKeyCertSign"; + public static final String VAL_CRL_SIGN = "keyUsageCrlSign"; + public static final String VAL_ENCIPHER_ONLY = "keyUsageEncipherOnly"; + public static final String VAL_DECIPHER_ONLY = "keyUsageDecipherOnly"; + + public KeyUsageExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_DIGITAL_SIGNATURE); + addValueName(VAL_NON_REPUDIATION); + addValueName(VAL_KEY_ENCIPHERMENT); + addValueName(VAL_DATA_ENCIPHERMENT); + addValueName(VAL_KEY_AGREEMENT); + addValueName(VAL_KEY_CERTSIGN); + addValueName(VAL_CRL_SIGN); + addValueName(VAL_ENCIPHER_ONLY); + addValueName(VAL_DECIPHER_ONLY); + + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_DIGITAL_SIGNATURE); + addConfigName(CONFIG_NON_REPUDIATION); + addConfigName(CONFIG_KEY_ENCIPHERMENT); + addConfigName(CONFIG_DATA_ENCIPHERMENT); + addConfigName(CONFIG_KEY_AGREEMENT); + addConfigName(CONFIG_KEY_CERTSIGN); + addConfigName(CONFIG_CRL_SIGN); + addConfigName(CONFIG_ENCIPHER_ONLY); + addConfigName(CONFIG_DECIPHER_ONLY); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_DIGITAL_SIGNATURE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_DIGITAL_SIGNATURE")); + } else if (name.equals(CONFIG_NON_REPUDIATION)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_NON_REPUDIATION")); + } else if (name.equals(CONFIG_KEY_ENCIPHERMENT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_ENCIPHERMENT")); + } else if (name.equals(CONFIG_DATA_ENCIPHERMENT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_DATA_ENCIPHERMENT")); + } else if (name.equals(CONFIG_KEY_AGREEMENT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_AGREEMENT")); + } else if (name.equals(CONFIG_KEY_CERTSIGN)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_CERTSIGN")); + } else if (name.equals(CONFIG_CRL_SIGN)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRL_SIGN")); + } else if (name.equals(CONFIG_ENCIPHER_ONLY)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_ENCIPHER_ONLY")); + } else if (name.equals(CONFIG_DECIPHER_ONLY)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_DECIPHER_ONLY")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_DIGITAL_SIGNATURE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_DIGITAL_SIGNATURE")); + } else if (name.equals(VAL_NON_REPUDIATION)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_NON_REPUDIATION")); + } else if (name.equals(VAL_KEY_ENCIPHERMENT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_ENCIPHERMENT")); + } else if (name.equals(VAL_DATA_ENCIPHERMENT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_DATA_ENCIPHERMENT")); + } else if (name.equals(VAL_KEY_AGREEMENT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_AGREEMENT")); + } else if (name.equals(VAL_KEY_CERTSIGN)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_CERTSIGN")); + } else if (name.equals(VAL_CRL_SIGN)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRL_SIGN")); + } else if (name.equals(VAL_ENCIPHER_ONLY)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_ENCIPHER_ONLY")); + } else if (name.equals(VAL_DECIPHER_ONLY)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_DECIPHER_ONLY")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + KeyUsageExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + + if (ext == null) { + populate(null, info); + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_DIGITAL_SIGNATURE)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(KeyUsageExtension.DIGITAL_SIGNATURE, val); + } else if (name.equals(VAL_NON_REPUDIATION)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(KeyUsageExtension.NON_REPUDIATION, val); + } else if (name.equals(VAL_KEY_ENCIPHERMENT)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(KeyUsageExtension.KEY_ENCIPHERMENT, val); + } else if (name.equals(VAL_DATA_ENCIPHERMENT)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(KeyUsageExtension.DATA_ENCIPHERMENT, val); + } else if (name.equals(VAL_KEY_AGREEMENT)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(KeyUsageExtension.KEY_AGREEMENT, val); + } else if (name.equals(VAL_KEY_CERTSIGN)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(KeyUsageExtension.KEY_CERTSIGN, val); + } else if (name.equals(VAL_CRL_SIGN)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(KeyUsageExtension.CRL_SIGN, val); + } else if (name.equals(VAL_ENCIPHER_ONLY)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(KeyUsageExtension.ENCIPHER_ONLY, val); + } else if (name.equals(VAL_DECIPHER_ONLY)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(KeyUsageExtension.DECIPHER_ONLY, val); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(PKIXExtensions.KeyUsage_Id.toString(), ext, info); + } catch (IOException e) { + CMS.debug("KeyUsageExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (EProfileException e) { + CMS.debug("KeyUsageExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + try { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + KeyUsageExtension ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_DIGITAL_SIGNATURE)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return null; + } + + Boolean val = (Boolean) + ext.get(KeyUsageExtension.DIGITAL_SIGNATURE); + + return val.toString(); + } else if (name.equals(VAL_NON_REPUDIATION)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) + ext.get(KeyUsageExtension.NON_REPUDIATION); + + return val.toString(); + } else if (name.equals(VAL_KEY_ENCIPHERMENT)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) + ext.get(KeyUsageExtension.KEY_ENCIPHERMENT); + + return val.toString(); + } else if (name.equals(VAL_DATA_ENCIPHERMENT)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) + ext.get(KeyUsageExtension.DATA_ENCIPHERMENT); + + return val.toString(); + } else if (name.equals(VAL_KEY_AGREEMENT)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) + ext.get(KeyUsageExtension.KEY_AGREEMENT); + + return val.toString(); + } else if (name.equals(VAL_KEY_CERTSIGN)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) + ext.get(KeyUsageExtension.KEY_CERTSIGN); + + return val.toString(); + } else if (name.equals(VAL_CRL_SIGN)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) + ext.get(KeyUsageExtension.CRL_SIGN); + + return val.toString(); + } else if (name.equals(VAL_ENCIPHER_ONLY)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) + ext.get(KeyUsageExtension.ENCIPHER_ONLY); + + return val.toString(); + } else if (name.equals(VAL_DECIPHER_ONLY)) { + ext = (KeyUsageExtension) + getExtension(PKIXExtensions.KeyUsage_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) + ext.get(KeyUsageExtension.DECIPHER_ONLY); + + return val.toString(); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } catch (IOException e) { + CMS.debug("KeyUsageExtDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_DIGITAL_SIGNATURE), + getConfig(CONFIG_NON_REPUDIATION), + getConfig(CONFIG_KEY_ENCIPHERMENT), + getConfig(CONFIG_DATA_ENCIPHERMENT), + getConfig(CONFIG_KEY_AGREEMENT), + getConfig(CONFIG_KEY_CERTSIGN), + getConfig(CONFIG_CRL_SIGN), + getConfig(CONFIG_ENCIPHER_ONLY), + getConfig(CONFIG_DECIPHER_ONLY) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_KEY_USAGE_EXT", params); + + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + KeyUsageExtension ext = createKeyUsageExtension(); + + addExtension(PKIXExtensions.KeyUsage_Id.toString(), ext, info); + } + + public KeyUsageExtension createKeyUsageExtension() { + KeyUsageExtension ext = null; + boolean[] bits = new boolean[KeyUsageExtension.NBITS]; + + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + bits[0] = getConfigBoolean(CONFIG_DIGITAL_SIGNATURE); + bits[1] = getConfigBoolean(CONFIG_NON_REPUDIATION); + bits[2] = getConfigBoolean(CONFIG_KEY_ENCIPHERMENT); + bits[3] = getConfigBoolean(CONFIG_DATA_ENCIPHERMENT); + bits[4] = getConfigBoolean(CONFIG_KEY_AGREEMENT); + bits[5] = getConfigBoolean(CONFIG_KEY_CERTSIGN); + bits[6] = getConfigBoolean(CONFIG_CRL_SIGN); + bits[7] = getConfigBoolean(CONFIG_ENCIPHER_ONLY); + bits[8] = getConfigBoolean(CONFIG_DECIPHER_ONLY); + try { + ext = new KeyUsageExtension(critical, bits); + } catch (Exception e) { + CMS.debug("KeyUsageExtDefault: createKeyUsageExtension " + + e.toString()); + } + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/NSCCommentExtDefault.java b/base/common/src/com/netscape/cms/profile/def/NSCCommentExtDefault.java new file mode 100644 index 000000000..cc96f3e90 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/NSCCommentExtDefault.java @@ -0,0 +1,246 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.NSCCommentExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a Netscape comment extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class NSCCommentExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "nscCommentCritical"; + public static final String CONFIG_COMMENT = "nscCommentContent"; + + public static final String VAL_CRITICAL = "nscCommentCritical"; + public static final String VAL_COMMENT = "nscCommentContent"; + + public NSCCommentExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_COMMENT); + + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_COMMENT); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_COMMENT)) { + return new Descriptor(IDescriptor.STRING, null, + "Comment Here...", + CMS.getUserMessage(locale, "CMS_PROFILE_COMMENT")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_COMMENT)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_COMMENT")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + NSCCommentExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ObjectIdentifier oid = NSCCommentExtension.OID; + + ext = (NSCCommentExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + + ext = (NSCCommentExtension) + getExtension(oid.toString(), info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_COMMENT)) { + + ext = (NSCCommentExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + return; + } + boolean critical = ext.isCritical(); + + if (value == null || value.equals("")) + ext = new NSCCommentExtension(critical, ""); + // throw new EPropertyException(name+" cannot be empty"); + else + ext = new NSCCommentExtension(critical, value); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(ext.getExtensionId().toString(), ext, info); + } catch (IOException e) { + CMS.debug("NSCCommentExtDefault: setValue " + e.toString()); + } catch (EProfileException e) { + CMS.debug("NSCCommentExtDefault: setValue " + e.toString()); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + NSCCommentExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ObjectIdentifier oid = NSCCommentExtension.OID; + + ext = (NSCCommentExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + + ext = (NSCCommentExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_COMMENT)) { + + ext = (NSCCommentExtension) + getExtension(oid.toString(), info); + + if (ext == null) + return ""; + + String comment = ext.getComment(); + + if (comment == null) + comment = ""; + + return comment; + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_COMMENT) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_NS_COMMENT_EXT", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + NSCCommentExtension ext = createExtension(); + + addExtension(ext.getExtensionId().toString(), ext, info); + } + + public NSCCommentExtension createExtension() { + NSCCommentExtension ext = null; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + String comment = getConfig(CONFIG_COMMENT); + + if (comment == null || comment.equals("")) + ext = new NSCCommentExtension(critical, ""); + else + ext = new NSCCommentExtension(critical, comment); + } catch (Exception e) { + CMS.debug("NSCCommentExtension: createExtension " + + e.toString()); + } + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/NSCertTypeExtDefault.java b/base/common/src/com/netscape/cms/profile/def/NSCertTypeExtDefault.java new file mode 100644 index 000000000..0677ef69f --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/NSCertTypeExtDefault.java @@ -0,0 +1,419 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.security.cert.CertificateException; +import java.util.Locale; + +import netscape.security.extensions.NSCertTypeExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a Netscape Certificate Type extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class NSCertTypeExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "nsCertCritical"; + public static final String CONFIG_SSL_CLIENT = "nsCertSSLClient"; + public static final String CONFIG_SSL_SERVER = "nsCertSSLServer"; + public static final String CONFIG_EMAIL = "nsCertEmail"; + public static final String CONFIG_OBJECT_SIGNING = "nsCertObjectSigning"; + public static final String CONFIG_SSL_CA = "nsCertSSLCA"; + public static final String CONFIG_EMAIL_CA = "nsCertEmailCA"; + public static final String CONFIG_OBJECT_SIGNING_CA = "nsCertObjectSigningCA"; + + public static final String VAL_CRITICAL = "nsCertCritical"; + public static final String VAL_SSL_CLIENT = "nsCertSSLClient"; + public static final String VAL_SSL_SERVER = "nsCertSSLServer"; + public static final String VAL_EMAIL = "nsCertEmail"; + public static final String VAL_OBJECT_SIGNING = "nsCertObjectSigning"; + public static final String VAL_SSL_CA = "nsCertSSLCA"; + public static final String VAL_EMAIL_CA = "nsCertEmailCA"; + public static final String VAL_OBJECT_SIGNING_CA = "nsCertObjectSigningCA"; + + public NSCertTypeExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_SSL_CLIENT); + addValueName(VAL_SSL_SERVER); + addValueName(VAL_EMAIL); + addValueName(VAL_OBJECT_SIGNING); + addValueName(VAL_SSL_CA); + addValueName(VAL_EMAIL_CA); + addValueName(VAL_OBJECT_SIGNING_CA); + + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_SSL_CLIENT); + addConfigName(CONFIG_SSL_SERVER); + addConfigName(CONFIG_EMAIL); + addConfigName(CONFIG_OBJECT_SIGNING); + addConfigName(CONFIG_SSL_CA); + addConfigName(CONFIG_EMAIL_CA); + addConfigName(CONFIG_OBJECT_SIGNING_CA); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_SSL_CLIENT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT")); + } else if (name.equals(CONFIG_SSL_SERVER)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER")); + } else if (name.equals(CONFIG_EMAIL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL")); + } else if (name.equals(CONFIG_OBJECT_SIGNING)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING")); + } else if (name.equals(CONFIG_SSL_CA)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA")); + } else if (name.equals(CONFIG_EMAIL_CA)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA")); + } else if (name.equals(CONFIG_OBJECT_SIGNING_CA)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING_CA")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_SSL_CLIENT)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT")); + } else if (name.equals(VAL_SSL_SERVER)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER")); + } else if (name.equals(VAL_EMAIL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL")); + } else if (name.equals(VAL_OBJECT_SIGNING)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING")); + } else if (name.equals(VAL_SSL_CA)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA")); + } else if (name.equals(VAL_EMAIL_CA)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA")); + } else if (name.equals(VAL_OBJECT_SIGNING_CA)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING_CA")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + NSCertTypeExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + + if (ext == null) { + populate(null, info); + + } + if (name.equals(VAL_CRITICAL)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_SSL_CLIENT)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(NSCertTypeExtension.SSL_CLIENT, val); + } else if (name.equals(VAL_SSL_SERVER)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(NSCertTypeExtension.SSL_SERVER, val); + } else if (name.equals(VAL_EMAIL)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(NSCertTypeExtension.EMAIL, val); + } else if (name.equals(VAL_OBJECT_SIGNING)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(NSCertTypeExtension.OBJECT_SIGNING, val); + } else if (name.equals(VAL_SSL_CA)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(NSCertTypeExtension.SSL_CA, val); + } else if (name.equals(VAL_EMAIL_CA)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(NSCertTypeExtension.EMAIL_CA, val); + } else if (name.equals(VAL_OBJECT_SIGNING_CA)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return; + } + Boolean val = Boolean.valueOf(value); + + ext.set(NSCertTypeExtension.OBJECT_SIGNING_CA, val); + } else { + throw new EPropertyException("Invalid name " + name); + } + replaceExtension(NSCertTypeExtension.CertType_Id.toString(), ext, info); + } catch (CertificateException e) { + CMS.debug("NSCertTypeExtDefault: setValue " + e.toString()); + } catch (EProfileException e) { + CMS.debug("NSCertTypeExtDefault: setValue " + e.toString()); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + try { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + NSCertTypeExtension ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + if (name.equals(VAL_CRITICAL)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_SSL_CLIENT)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) ext.get(NSCertTypeExtension.SSL_CLIENT); + + return val.toString(); + } else if (name.equals(VAL_SSL_SERVER)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) ext.get(NSCertTypeExtension.SSL_SERVER); + + return val.toString(); + } else if (name.equals(VAL_EMAIL)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) ext.get(NSCertTypeExtension.EMAIL); + + return val.toString(); + } else if (name.equals(VAL_OBJECT_SIGNING)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) ext.get(NSCertTypeExtension.OBJECT_SIGNING); + + return val.toString(); + } else if (name.equals(VAL_SSL_CA)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) ext.get(NSCertTypeExtension.SSL_CA); + + return val.toString(); + } else if (name.equals(VAL_EMAIL_CA)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) ext.get(NSCertTypeExtension.EMAIL_CA); + + return val.toString(); + } else if (name.equals(VAL_OBJECT_SIGNING_CA)) { + ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + if (ext == null) { + return null; + } + Boolean val = (Boolean) ext.get(NSCertTypeExtension.OBJECT_SIGNING_CA); + + return val.toString(); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } catch (CertificateException e) { + CMS.debug("NSCertTypeExtDefault: setValue " + e.toString()); + } + return null; + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_SSL_CLIENT), + getConfig(CONFIG_SSL_SERVER), + getConfig(CONFIG_EMAIL), + getConfig(CONFIG_OBJECT_SIGNING), + getConfig(CONFIG_SSL_CA), + getConfig(CONFIG_EMAIL_CA), + getConfig(CONFIG_OBJECT_SIGNING_CA) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_NS_CERT_TYPE_EXT", params); + + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + NSCertTypeExtension ext = createExtension(); + + addExtension(NSCertTypeExtension.CertType_Id.toString(), ext, info); + } + + public NSCertTypeExtension createExtension() { + NSCertTypeExtension ext = null; + boolean[] bits = new boolean[NSCertTypeExtension.NBITS]; + + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + bits[0] = getConfigBoolean(CONFIG_SSL_CLIENT); + bits[1] = getConfigBoolean(CONFIG_SSL_SERVER); + bits[2] = getConfigBoolean(CONFIG_EMAIL); + bits[3] = getConfigBoolean(CONFIG_OBJECT_SIGNING); + bits[4] = getConfigBoolean(CONFIG_SSL_CA); + bits[5] = getConfigBoolean(CONFIG_EMAIL_CA); + bits[6] = getConfigBoolean(CONFIG_OBJECT_SIGNING_CA); + try { + ext = new NSCertTypeExtension(critical, bits); + } catch (Exception e) { + CMS.debug("NSCertTypeExtDefault: createExtension " + + e.toString()); + } + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java new file mode 100644 index 000000000..e57d04067 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java @@ -0,0 +1,670 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.x509.GeneralName; +import netscape.security.x509.GeneralNameInterface; +import netscape.security.x509.GeneralSubtree; +import netscape.security.x509.GeneralSubtrees; +import netscape.security.x509.NameConstraintsExtension; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a name constraint extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class NameConstraintsExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "nameConstraintsCritical"; + public static final String CONFIG_NUM_PERMITTED_SUBTREES = + "nameConstraintsNumPermittedSubtrees"; + public static final String CONFIG_PERMITTED_MIN_VAL = "nameConstraintsPermittedSubtreeMinValue_"; + public static final String CONFIG_PERMITTED_MAX_VAL = "nameConstraintsPermittedSubtreeMaxValue_"; + public static final String CONFIG_PERMITTED_NAME_CHOICE = "nameConstraintsPermittedSubtreeNameChoice_"; + public static final String CONFIG_PERMITTED_NAME_VAL = "nameConstraintsPermittedSubtreeNameValue_"; + public static final String CONFIG_PERMITTED_ENABLE = "nameConstraintsPermittedSubtreeEnable_"; + + public static final String CONFIG_NUM_EXCLUDED_SUBTREES = "nameConstraintsNumExcludedSubtrees"; + public static final String CONFIG_EXCLUDED_MIN_VAL = "nameConstraintsExcludedSubtreeMinValue_"; + public static final String CONFIG_EXCLUDED_MAX_VAL = "nameConstraintsExcludedSubtreeMaxValue_"; + public static final String CONFIG_EXCLUDED_NAME_CHOICE = "nameConstraintsExcludedSubtreeNameChoice_"; + public static final String CONFIG_EXCLUDED_NAME_VAL = "nameConstraintsExcludedSubtreeNameValue_"; + public static final String CONFIG_EXCLUDED_ENABLE = "nameConstraintsExcludedSubtreeEnable_"; + + public static final String VAL_CRITICAL = "nameConstraintsCritical"; + public static final String VAL_PERMITTED_SUBTREES = "nameConstraintsPermittedSubtreesValue"; + public static final String VAL_EXCLUDED_SUBTREES = "nameConstraintsExcludedSubtreesValue"; + + private static final String GENERAL_NAME_CHOICE = "GeneralNameChoice"; + private static final String GENERAL_NAME_VALUE = "GeneralNameValue"; + private static final String MIN_VALUE = "Min Value"; + private static final String MAX_VALUE = "Max Value"; + private static final String ENABLE = "Enable"; + + protected static final int DEF_NUM_PERMITTED_SUBTREES = 1; + protected static final int DEF_NUM_EXCLUDED_SUBTREES = 1; + protected static final int MAX_NUM_EXCLUDED_SUBTREES = 100; + protected static final int MAX_NUM_PERMITTED_SUBTREES = 100; + + public NameConstraintsExtDefault() { + super(); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + refreshConfigAndValueNames(); + + } + + protected int getNumPermitted() { + int num = DEF_NUM_PERMITTED_SUBTREES; + String val = getConfig(CONFIG_NUM_PERMITTED_SUBTREES); + + if (val != null) { + try { + num = Integer.parseInt(val); + } catch (NumberFormatException e) { + // ignore + } + } + + if (num >= MAX_NUM_PERMITTED_SUBTREES) + num = DEF_NUM_PERMITTED_SUBTREES; + return num; + } + + protected int getNumExcluded() { + int num = DEF_NUM_EXCLUDED_SUBTREES; + String val = getConfig(CONFIG_NUM_EXCLUDED_SUBTREES); + + if (val != null) { + try { + num = Integer.parseInt(val); + } catch (NumberFormatException e) { + // ignore + } + } + + if (num >= MAX_NUM_EXCLUDED_SUBTREES) + num = DEF_NUM_EXCLUDED_SUBTREES; + + return num; + } + + public void setConfig(String name, String value) + throws EPropertyException { + int num = 0; + if (name.equals(CONFIG_NUM_PERMITTED_SUBTREES)) { + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_PERMITTED_SUBTREES || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_PERMITTED_SUBTREES)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_PERMITTED_SUBTREES)); + } + } else if (name.equals(CONFIG_NUM_EXCLUDED_SUBTREES)) { + + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_EXCLUDED_SUBTREES || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_EXCLUDED_SUBTREES)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_EXCLUDED_SUBTREES)); + } + } + super.setConfig(name, value); + } + + public Enumeration getConfigNames() { + refreshConfigAndValueNames(); + return super.getConfigNames(); + } + + protected void refreshConfigAndValueNames() { + //refesh our config name list + + super.refreshConfigAndValueNames(); + + addValueName(VAL_CRITICAL); + addValueName(VAL_PERMITTED_SUBTREES); + addValueName(VAL_EXCLUDED_SUBTREES); + + addConfigName(CONFIG_CRITICAL); + int num = getNumPermitted(); + + addConfigName(CONFIG_NUM_PERMITTED_SUBTREES); + + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_PERMITTED_MIN_VAL + i); + addConfigName(CONFIG_PERMITTED_MAX_VAL + i); + addConfigName(CONFIG_PERMITTED_NAME_CHOICE + i); + addConfigName(CONFIG_PERMITTED_NAME_VAL + i); + addConfigName(CONFIG_PERMITTED_ENABLE + i); + } + + num = getNumExcluded(); + + addConfigName(CONFIG_NUM_EXCLUDED_SUBTREES); + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_EXCLUDED_MIN_VAL + i); + addConfigName(CONFIG_EXCLUDED_MAX_VAL + i); + addConfigName(CONFIG_EXCLUDED_NAME_CHOICE + i); + addConfigName(CONFIG_EXCLUDED_NAME_VAL + i); + addConfigName(CONFIG_EXCLUDED_ENABLE + i); + } + + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.startsWith(CONFIG_PERMITTED_MIN_VAL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_MIN_VAL")); + } else if (name.startsWith(CONFIG_PERMITTED_MAX_VAL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_MAX_VAL")); + } else if (name.startsWith(CONFIG_PERMITTED_NAME_CHOICE)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_NAME_CHOICE")); + } else if (name.startsWith(CONFIG_PERMITTED_NAME_VAL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_NAME_VAL")); + } else if (name.startsWith(CONFIG_PERMITTED_ENABLE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE")); + } else if (name.startsWith(CONFIG_EXCLUDED_MIN_VAL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_MIN_VAL")); + } else if (name.startsWith(CONFIG_EXCLUDED_MAX_VAL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_MAX_VAL")); + } else if (name.startsWith(CONFIG_EXCLUDED_NAME_CHOICE)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_NAME_CHOICE")); + } else if (name.startsWith(CONFIG_EXCLUDED_NAME_VAL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_NAME_VAL")); + } else if (name.startsWith(CONFIG_EXCLUDED_ENABLE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE")); + } else if (name.startsWith(CONFIG_NUM_EXCLUDED_SUBTREES)) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_EXCLUDED_SUBTREES")); + } else if (name.startsWith(CONFIG_NUM_PERMITTED_SUBTREES)) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_PERMITTED_SUBTREES")); + } + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_PERMITTED_SUBTREES)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_PERMITTED_SUBTREES")); + } else if (name.equals(VAL_EXCLUDED_SUBTREES)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_EXCLUDED_SUBTREES")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + NameConstraintsExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (NameConstraintsExtension) + getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + ext = (NameConstraintsExtension) + getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_PERMITTED_SUBTREES)) { + ext = (NameConstraintsExtension) + getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); + + if (ext == null) { + return; + } + if ((value == null) || (value.equals("null")) || (value.equals(""))) { + CMS.debug("NameConstraintsExtDefault:setValue : " + + "blank value for permitted subtrees ... returning"); + return; + } + + Vector v = parseRecords(value); + + Vector permittedSubtrees = createSubtrees(locale, v); + + ext.set(NameConstraintsExtension.PERMITTED_SUBTREES, + new GeneralSubtrees(permittedSubtrees)); + } else if (name.equals(VAL_EXCLUDED_SUBTREES)) { + ext = (NameConstraintsExtension) + getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); + + if (ext == null) { + return; + } + if ((value == null) || (value.equals("null")) || (value.equals(""))) { + CMS.debug("NameConstraintsExtDefault:setValue : " + + "blank value for excluded subtrees ... returning"); + return; + } + Vector v = parseRecords(value); + + Vector excludedSubtrees = createSubtrees(locale, v); + + ext.set(NameConstraintsExtension.EXCLUDED_SUBTREES, + new GeneralSubtrees(excludedSubtrees)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(PKIXExtensions.NameConstraints_Id.toString(), ext, info); + } catch (IOException e) { + CMS.debug("NameConstraintsExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (EProfileException e) { + CMS.debug("NameConstraintsExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + private Vector createSubtrees(Locale locale, Vector v) throws EPropertyException { + int size = v.size(); + String choice = null; + String val = ""; + String minS = null; + String maxS = null; + + Vector subtrees = new Vector(); + + for (int i = 0; i < size; i++) { + NameValuePairs nvps = v.elementAt(i); + + for (String name1 : nvps.keySet()) { + + if (name1.equals(GENERAL_NAME_CHOICE)) { + choice = nvps.get(name1); + } else if (name1.equals(GENERAL_NAME_VALUE)) { + val = nvps.get(name1); + } else if (name1.equals(MIN_VALUE)) { + minS = nvps.get(name1); + } else if (name1.equals(MAX_VALUE)) { + maxS = nvps.get(name1); + } + } + + if (choice == null || choice.length() == 0) { + throw new EPropertyException(CMS.getUserMessage(locale, + "CMS_PROFILE_GENERAL_NAME_NOT_FOUND")); + } + + if (val == null) + val = ""; + + int min = 0; + int max = -1; + + if (minS != null && minS.length() > 0) + min = Integer.parseInt(minS); + if (maxS != null && maxS.length() > 0) + max = Integer.parseInt(maxS); + + GeneralName gn = null; + GeneralNameInterface gnI = null; + + try { + gnI = parseGeneralName(choice + ":" + val); + } catch (IOException e) { + CMS.debug("NameConstraintsExtDefault: createSubtress " + + e.toString()); + } + + if (gnI != null) { + gn = new GeneralName(gnI); + } else { + throw new EPropertyException(CMS.getUserMessage(locale, + "CMS_PROFILE_GENERAL_NAME_NOT_FOUND")); + } + GeneralSubtree subtree = new GeneralSubtree( + gn, min, max); + + subtrees.addElement(subtree); + } + + return subtrees; + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + NameConstraintsExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (NameConstraintsExtension) + getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (NameConstraintsExtension) + getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_PERMITTED_SUBTREES)) { + ext = (NameConstraintsExtension) + getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); + + if (ext == null) + return ""; + + GeneralSubtrees subtrees = null; + + try { + subtrees = (GeneralSubtrees) + ext.get(NameConstraintsExtension.PERMITTED_SUBTREES); + } catch (IOException e) { + CMS.debug("NameConstraintExtDefault: getValue " + e.toString()); + } + + if (subtrees == null) { + CMS.debug("NameConstraintsExtDefault::getValue() VAL_PERMITTED_SUBTREES is null!"); + throw new EPropertyException("subtrees is null"); + } + + return getSubtreesInfo(ext, subtrees); + } else if (name.equals(VAL_EXCLUDED_SUBTREES)) { + ext = (NameConstraintsExtension) + getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); + + if (ext == null) + return ""; + + GeneralSubtrees subtrees = null; + + try { + subtrees = (GeneralSubtrees) + ext.get(NameConstraintsExtension.EXCLUDED_SUBTREES); + } catch (IOException e) { + CMS.debug("NameConstraintExtDefault: getValue " + e.toString()); + } + + if (subtrees == null) { + CMS.debug("NameConstraintsExtDefault::getValue() VAL_EXCLUDED_SUBTREES is null!"); + throw new EPropertyException("subtrees is null"); + } + + return getSubtreesInfo(ext, subtrees); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + private String getSubtreesInfo(NameConstraintsExtension ext, + GeneralSubtrees subtrees) throws EPropertyException { + Vector trees = subtrees.getSubtrees(); + int size = trees.size(); + + Vector recs = new Vector(); + + for (int i = 0; i < size; i++) { + GeneralSubtree tree = (GeneralSubtree) trees.elementAt(i); + + GeneralName gn = tree.getGeneralName(); + String type = getGeneralNameType(gn); + int max = tree.getMaxValue(); + int min = tree.getMinValue(); + + NameValuePairs pairs = new NameValuePairs(); + + pairs.put(GENERAL_NAME_CHOICE, type); + pairs.put(GENERAL_NAME_VALUE, getGeneralNameValue(gn)); + pairs.put(MIN_VALUE, Integer.toString(min)); + pairs.put(MAX_VALUE, Integer.toString(max)); + pairs.put(ENABLE, "true"); + + recs.addElement(pairs); + } + + return buildRecords(recs); + } + + public String getText(Locale locale) { + StringBuffer sb = new StringBuffer(); + int num = getNumPermitted(); + + for (int i = 0; i < num; i++) { + sb.append("Permitted #"); + sb.append(i); + sb.append("{"); + sb.append(GENERAL_NAME_CHOICE + ":"); + sb.append(getConfig(CONFIG_PERMITTED_NAME_CHOICE + i)); + sb.append(","); + sb.append(GENERAL_NAME_VALUE + ":"); + sb.append(getConfig(CONFIG_PERMITTED_NAME_VAL + i)); + sb.append(","); + sb.append(MIN_VALUE + ":"); + sb.append(getConfig(CONFIG_PERMITTED_MIN_VAL + i)); + sb.append(","); + sb.append(MAX_VALUE + ":"); + sb.append(getConfig(CONFIG_PERMITTED_MAX_VAL + i)); + sb.append("}"); + } + num = getNumExcluded(); + for (int i = 0; i < num; i++) { + sb.append("Exluded #"); + sb.append(i); + sb.append("{"); + sb.append(GENERAL_NAME_CHOICE + ":"); + sb.append(getConfig(CONFIG_EXCLUDED_NAME_CHOICE + i)); + sb.append(","); + sb.append(GENERAL_NAME_VALUE + ":"); + sb.append(getConfig(CONFIG_EXCLUDED_NAME_VAL + i)); + sb.append(","); + sb.append(MIN_VALUE + ":"); + sb.append(getConfig(CONFIG_EXCLUDED_MIN_VAL + i)); + sb.append(","); + sb.append(MAX_VALUE + ":"); + sb.append(getConfig(CONFIG_EXCLUDED_MAX_VAL + i)); + sb.append("}"); + } + return CMS.getUserMessage(locale, + "CMS_PROFILE_DEF_NAME_CONSTRAINTS_EXT", + getConfig(CONFIG_CRITICAL), sb.toString()); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + NameConstraintsExtension ext = createExtension(); + + addExtension(PKIXExtensions.NameConstraints_Id.toString(), ext, info); + } + + public NameConstraintsExtension createExtension() { + NameConstraintsExtension ext = null; + + try { + int num = getNumPermitted(); + + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + Vector v = new Vector(); + + for (int i = 0; i < num; i++) { + String enable = getConfig(CONFIG_PERMITTED_ENABLE + i); + + if (enable != null && enable.equals("true")) { + String choice = getConfig(CONFIG_PERMITTED_NAME_CHOICE + i); + String value = getConfig(CONFIG_PERMITTED_NAME_VAL + i); + String minS = getConfig(CONFIG_PERMITTED_MIN_VAL + i); + String maxS = getConfig(CONFIG_PERMITTED_MAX_VAL + i); + + v.addElement(createSubtree(choice, value, minS, maxS)); + } + } + + Vector v1 = new Vector(); + + num = getNumExcluded(); + for (int i = 0; i < num; i++) { + String enable = getConfig(CONFIG_EXCLUDED_ENABLE + i); + + if (enable != null && enable.equals("true")) { + String choice = getConfig(CONFIG_EXCLUDED_NAME_CHOICE + i); + String value = getConfig(CONFIG_EXCLUDED_NAME_VAL + i); + String minS = getConfig(CONFIG_EXCLUDED_MIN_VAL + i); + String maxS = getConfig(CONFIG_EXCLUDED_MAX_VAL + i); + + v1.addElement(createSubtree(choice, value, minS, maxS)); + } + } + + ext = new NameConstraintsExtension(critical, + new GeneralSubtrees(v), new GeneralSubtrees(v1)); + } catch (Exception e) { + CMS.debug("NameConstraintsExtDefault: createExtension " + + e.toString()); + } + + return ext; + } + + private GeneralSubtree createSubtree(String choice, String value, + String minS, String maxS) { + GeneralName gn = null; + GeneralNameInterface gnI = null; + + try { + gnI = parseGeneralName(choice + ":" + value); + } catch (IOException e) { + CMS.debug(e.toString()); + } + if (gnI != null) + gn = new GeneralName(gnI); + else + //throw new EPropertyException("GeneralName must not be null"); + return null; + + int min = 0; + + if (minS != null && minS.length() > 0) + min = Integer.parseInt(minS); + int max = -1; + + if (maxS != null && maxS.length() > 0) + max = Integer.parseInt(maxS); + + return (new GeneralSubtree(gn, min, max)); + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/NoDefault.java b/base/common/src/com/netscape/cms/profile/def/NoDefault.java new file mode 100644 index 000000000..4678f4487 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/NoDefault.java @@ -0,0 +1,111 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IPolicyDefault; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements no default policy. + * + * @version $Revision$, $Date$ + */ +public class NoDefault implements IPolicyDefault { + + public static final String PROP_NAME = "name"; + + protected Vector mValues = new Vector(); + protected Vector mNames = new Vector(); + protected IConfigStore mConfig = null; + + public Enumeration getConfigNames() { + return mNames.elements(); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + public void setConfig(String name, String value) + throws EPropertyException { + } + + public String getDefaultConfig(String name) { + return null; + } + + public String getConfig(String name) { + return null; + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + mConfig = config; + } + + public IConfigStore getConfigStore() { + return mConfig; + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request) + throws EProfileException { + } + + public Enumeration getValueNames() { + return mValues.elements(); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + return null; + } + + public void setValue(String name, Locale locale, IRequest request, + String value) + throws EPropertyException { + } + + public String getValue(String name, Locale locale, IRequest request) { + return null; + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_NO_DEFAULT"); + } + + public String getName(Locale locale) { + try { + return mConfig.getString(PROP_NAME); + } catch (EBaseException e) { + return null; + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/OCSPNoCheckExtDefault.java b/base/common/src/com/netscape/cms/profile/def/OCSPNoCheckExtDefault.java new file mode 100644 index 000000000..382f3cec3 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/OCSPNoCheckExtDefault.java @@ -0,0 +1,185 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.util.Locale; + +import netscape.security.extensions.OCSPNoCheckExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates an OCSP No Check extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class OCSPNoCheckExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "ocspNoCheckCritical"; + + public static final String VAL_CRITICAL = "ocspNoCheckCritical"; + + public OCSPNoCheckExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addConfigName(CONFIG_CRITICAL); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + OCSPNoCheckExtension ext = (OCSPNoCheckExtension) + getExtension(OCSPNoCheckExtension.OID, info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (OCSPNoCheckExtension) + getExtension(OCSPNoCheckExtension.OID, info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + OCSPNoCheckExtension ext = (OCSPNoCheckExtension) + getExtension(OCSPNoCheckExtension.OID, info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (OCSPNoCheckExtension) + getExtension(OCSPNoCheckExtension.OID, info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_OCSP_NO_CHECK_EXT", + getConfig(CONFIG_CRITICAL)); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + OCSPNoCheckExtension ext = createExtension(); + + addExtension(OCSPNoCheckExtension.OID, ext, info); + } + + public OCSPNoCheckExtension createExtension() { + OCSPNoCheckExtension ext = null; + + try { + ext = new OCSPNoCheckExtension(); + } catch (Exception e) { + CMS.debug("OCSPNoCheckExtDefault: createExtension " + + e.toString()); + return null; + } + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + ext.setCritical(critical); + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/PolicyConstraintsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/PolicyConstraintsExtDefault.java new file mode 100644 index 000000000..db9b95a04 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/PolicyConstraintsExtDefault.java @@ -0,0 +1,287 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.PolicyConstraintsExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a policy constraints extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class PolicyConstraintsExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "policyConstraintsCritical"; + public static final String CONFIG_REQ_EXPLICIT_POLICY = "policyConstraintsReqExplicitPolicy"; + public static final String CONFIG_INHIBIT_POLICY_MAPPING = "policyConstraintsInhibitPolicyMapping"; + + public static final String VAL_CRITICAL = "policyConstraintsCritical"; + public static final String VAL_REQ_EXPLICIT_POLICY = "policyConstraintsReqExplicitPolicy"; + public static final String VAL_INHIBIT_POLICY_MAPPING = "policyConstraintsInhibitPolicyMapping"; + + public PolicyConstraintsExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_REQ_EXPLICIT_POLICY); + addValueName(VAL_INHIBIT_POLICY_MAPPING); + + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_REQ_EXPLICIT_POLICY); + addConfigName(CONFIG_INHIBIT_POLICY_MAPPING); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_REQ_EXPLICIT_POLICY)) { + return new Descriptor(IDescriptor.INTEGER, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REQUIRED_EXPLICIT_POLICY")); + } else if (name.equals(CONFIG_INHIBIT_POLICY_MAPPING)) { + return new Descriptor(IDescriptor.INTEGER, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INHIBIT_POLICY_MAPPING")); + } + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_REQ_EXPLICIT_POLICY)) { + return new Descriptor(IDescriptor.INTEGER, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REQUIRED_EXPLICIT_POLICY")); + } else if (name.equals(VAL_INHIBIT_POLICY_MAPPING)) { + return new Descriptor(IDescriptor.INTEGER, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INHIBIT_POLICY_MAPPING")); + } + return null; + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + PolicyConstraintsExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (PolicyConstraintsExtension) + getExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + ext = (PolicyConstraintsExtension) + getExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_REQ_EXPLICIT_POLICY)) { + ext = (PolicyConstraintsExtension) + getExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + info); + + if (ext == null) { + return; + } + Integer num = new Integer(value); + + ext.set(PolicyConstraintsExtension.REQUIRE, num); + } else if (name.equals(VAL_INHIBIT_POLICY_MAPPING)) { + ext = (PolicyConstraintsExtension) + getExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + info); + + if (ext == null) { + return; + } + Integer num = new Integer(value); + + ext.set(PolicyConstraintsExtension.INHIBIT, num); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + ext, info); + } catch (EProfileException e) { + CMS.debug("PolicyConstraintsExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (IOException e) { + CMS.debug("PolicyConstraintsExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + PolicyConstraintsExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (PolicyConstraintsExtension) + getExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + info); + if (ext == null) { + + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (PolicyConstraintsExtension) + getExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_REQ_EXPLICIT_POLICY)) { + ext = (PolicyConstraintsExtension) + getExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + info); + + if (ext == null) + return ""; + + int num = ext.getRequireExplicitMapping(); + + return "" + num; + } else if (name.equals(VAL_INHIBIT_POLICY_MAPPING)) { + ext = (PolicyConstraintsExtension) + getExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + info); + + if (ext == null) + return ""; + + int num = ext.getInhibitPolicyMapping(); + + return "" + num; + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_REQ_EXPLICIT_POLICY), + getConfig(CONFIG_INHIBIT_POLICY_MAPPING) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_POLICY_CONSTRAINTS_EXT", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + PolicyConstraintsExtension ext = createExtension(); + + if (ext == null) + return; + addExtension(PKIXExtensions.PolicyConstraints_Id.toString(), + ext, info); + } + + public PolicyConstraintsExtension createExtension() { + PolicyConstraintsExtension ext = null; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + int reqNum = -1; + int inhibitNum = -1; + String req = getConfig(CONFIG_REQ_EXPLICIT_POLICY); + + if (req != null && req.length() > 0) { + reqNum = Integer.parseInt(req); + } + String inhibit = getConfig(CONFIG_INHIBIT_POLICY_MAPPING); + + if (inhibit != null && inhibit.length() > 0) { + inhibitNum = Integer.parseInt(inhibit); + } + ext = new PolicyConstraintsExtension(critical, reqNum, inhibitNum); + } catch (Exception e) { + CMS.debug("PolicyConstraintsExtDefault: createExtension " + + e.toString()); + } + + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/PolicyMappingsExtDefault.java b/base/common/src/com/netscape/cms/profile/def/PolicyMappingsExtDefault.java new file mode 100644 index 000000000..712641c0d --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/PolicyMappingsExtDefault.java @@ -0,0 +1,420 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.CertificatePolicyId; +import netscape.security.x509.CertificatePolicyMap; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.PolicyMappingsExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a policy mappings extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class PolicyMappingsExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "policyMappingsCritical"; + public static final String CONFIG_NUM_POLICY_MAPPINGS = "policyMappingsNum"; + public static final String CONFIG_ISSUER_DOMAIN_POLICY = "policyMappingsIssuerDomainPolicy_"; + public static final String CONFIG_SUBJECT_DOMAIN_POLICY = "policyMappingsSubjectDomainPolicy_"; + public static final String CONFIG_ENABLE = "policyMappingsEnable_"; + + public static final String VAL_CRITICAL = "policyMappingsCritical"; + public static final String VAL_DOMAINS = "policyMappingsDomains"; + + private static final String ISSUER_POLICY_ID = "Issuer Policy Id"; + private static final String SUBJECT_POLICY_ID = "Subject Policy Id"; + private static final String POLICY_ID_ENABLE = "Enable"; + + private static final int DEF_NUM_MAPPINGS = 1; + private static final int MAX_NUM_MAPPINGS = 100; + + public PolicyMappingsExtDefault() { + super(); + } + + protected int getNumMappings() { + int num = DEF_NUM_MAPPINGS; + String numMappings = getConfig(CONFIG_NUM_POLICY_MAPPINGS); + + if (numMappings != null) { + try { + num = Integer.parseInt(numMappings); + } catch (NumberFormatException e) { + // ignore + } + } + return num; + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + refreshConfigAndValueNames(); + } + + public void setConfig(String name, String value) + throws EPropertyException { + int num = 0; + if (name.equals(CONFIG_NUM_POLICY_MAPPINGS)) { + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_MAPPINGS || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_POLICY_MAPPINGS)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_POLICY_MAPPINGS)); + } + } + super.setConfig(name, value); + } + + public Enumeration getConfigNames() { + refreshConfigAndValueNames(); + return super.getConfigNames(); + } + + protected void refreshConfigAndValueNames() { + super.refreshConfigAndValueNames(); + + addValueName(VAL_CRITICAL); + addValueName(VAL_DOMAINS); + + addConfigName(CONFIG_CRITICAL); + int num = getNumMappings(); + + addConfigName(CONFIG_NUM_POLICY_MAPPINGS); + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_ISSUER_DOMAIN_POLICY + i); + addConfigName(CONFIG_SUBJECT_DOMAIN_POLICY + i); + addConfigName(CONFIG_ENABLE + i); + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.startsWith(CONFIG_ISSUER_DOMAIN_POLICY)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ISSUER_DOMAIN_POLICY")); + } else if (name.startsWith(CONFIG_SUBJECT_DOMAIN_POLICY)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_DOMAIN_POLICY")); + } else if (name.startsWith(CONFIG_ENABLE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE")); + } else if (name.startsWith(CONFIG_NUM_POLICY_MAPPINGS)) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_POLICY_MAPPINGS")); + } + + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_DOMAINS)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_DOMAINS")); + } + return null; + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + PolicyMappingsExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (PolicyMappingsExtension) + getExtension(PKIXExtensions.PolicyMappings_Id.toString(), + info); + + if (ext == null) { + populate(null, info); + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (PolicyMappingsExtension) + getExtension(PKIXExtensions.PolicyMappings_Id.toString(), + info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_DOMAINS)) { + ext = (PolicyMappingsExtension) + getExtension(PKIXExtensions.PolicyMappings_Id.toString(), + info); + + if (ext == null) { + return; + } + Vector v = parseRecords(value); + int size = v.size(); + + String issuerPolicyId = null; + String subjectPolicyId = null; + String enable = null; + Vector policyMaps = new Vector(); + + for (int i = 0; i < size; i++) { + NameValuePairs nvps = v.elementAt(i); + + for (String name1 : nvps.keySet()) { + + if (name1.equals(ISSUER_POLICY_ID)) { + issuerPolicyId = nvps.get(name1); + } else if (name1.equals(SUBJECT_POLICY_ID)) { + subjectPolicyId = nvps.get(name1); + } else if (name1.equals(POLICY_ID_ENABLE)) { + enable = nvps.get(name1); + } + } + + if (enable != null && enable.equals("true")) { + if (issuerPolicyId == null || + issuerPolicyId.length() == 0 || subjectPolicyId == null || + subjectPolicyId.length() == 0) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_PROFILE_POLICY_ID_NOT_FOUND")); + CertificatePolicyMap map = new CertificatePolicyMap( + new CertificatePolicyId(new ObjectIdentifier(issuerPolicyId)), + new CertificatePolicyId(new ObjectIdentifier(subjectPolicyId))); + + policyMaps.addElement(map); + } + } + ext.set(PolicyMappingsExtension.MAP, policyMaps); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(PKIXExtensions.PolicyMappings_Id.toString(), + ext, info); + } catch (EProfileException e) { + CMS.debug("PolicyMappingsExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (IOException e) { + CMS.debug("PolicyMappingsExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + PolicyMappingsExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (PolicyMappingsExtension) + getExtension(PKIXExtensions.PolicyMappings_Id.toString(), + info); + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = (PolicyMappingsExtension) + getExtension(PKIXExtensions.PolicyMappings_Id.toString(), + info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_DOMAINS)) { + ext = (PolicyMappingsExtension) + getExtension(PKIXExtensions.PolicyMappings_Id.toString(), + info); + + if (ext == null) + return ""; + + int num_mappings = getNumMappings(); + + Enumeration maps = ext.getMappings(); + + Vector recs = new Vector(); + + for (int i = 0; i < num_mappings; i++) { + NameValuePairs pairs = new NameValuePairs(); + + if (maps.hasMoreElements()) { + CertificatePolicyMap map = + (CertificatePolicyMap) maps.nextElement(); + + CertificatePolicyId i1 = map.getIssuerIdentifier(); + CertificatePolicyId s1 = map.getSubjectIdentifier(); + + pairs.put(ISSUER_POLICY_ID, i1.getIdentifier().toString()); + pairs.put(SUBJECT_POLICY_ID, s1.getIdentifier().toString()); + pairs.put(POLICY_ID_ENABLE, "true"); + } else { + pairs.put(ISSUER_POLICY_ID, ""); + pairs.put(SUBJECT_POLICY_ID, ""); + pairs.put(POLICY_ID_ENABLE, "false"); + + } + recs.addElement(pairs); + } + + return buildRecords(recs); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + StringBuffer sb = new StringBuffer(); + int num = getNumMappings(); + + for (int i = 0; i < num; i++) { + sb.append("Record #"); + sb.append(i); + sb.append("{"); + sb.append(ISSUER_POLICY_ID + ":"); + sb.append(getConfig(CONFIG_ISSUER_DOMAIN_POLICY + i)); + sb.append(","); + sb.append(SUBJECT_POLICY_ID + ":"); + sb.append(getConfig(CONFIG_SUBJECT_DOMAIN_POLICY + i)); + sb.append(","); + sb.append(POLICY_ID_ENABLE + ":"); + sb.append(getConfig(CONFIG_ENABLE + i)); + sb.append("}"); + } + return CMS.getUserMessage(locale, + "CMS_PROFILE_DEF_POLICY_MAPPINGS_EXT", + getConfig(CONFIG_CRITICAL), sb.toString()); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + PolicyMappingsExtension ext = createExtension(); + + if (ext == null) + return; + addExtension(PKIXExtensions.PolicyMappings_Id.toString(), + ext, info); + } + + public PolicyMappingsExtension createExtension() { + PolicyMappingsExtension ext = null; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + Vector policyMaps = new Vector(); + int num = getNumMappings(); + + for (int i = 0; i < num; i++) { + String enable = getConfig(CONFIG_ENABLE + i); + + if (enable != null && enable.equals("true")) { + String issuerID = getConfig(CONFIG_ISSUER_DOMAIN_POLICY + i); + + if (issuerID == null || issuerID.length() == 0) { + return null; + } + + String subjectID = getConfig(CONFIG_SUBJECT_DOMAIN_POLICY + i); + + if (subjectID == null || subjectID.length() == 0) { + return null; + } + + CertificatePolicyMap map = new CertificatePolicyMap( + new CertificatePolicyId(new ObjectIdentifier(issuerID)), + new CertificatePolicyId(new ObjectIdentifier(subjectID))); + + policyMaps.addElement(map); + } + } + + ext = new PolicyMappingsExtension(critical, policyMaps); + } catch (Exception e) { + CMS.debug("PolicyMappingsExtDefault: createExtension " + + e.toString()); + } + + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/common/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java new file mode 100644 index 000000000..20285567e --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java @@ -0,0 +1,316 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.text.ParsePosition; +import java.text.SimpleDateFormat; +import java.util.Date; +import java.util.Locale; + +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.PrivateKeyUsageExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a Private Key Usage Period extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "puCritical"; + public static final String CONFIG_START_TIME = "puStartTime"; + public static final String CONFIG_DURATION = "puDurationInDays"; // in days + + public static final String VAL_CRITICAL = "puCritical"; + public static final String VAL_NOT_BEFORE = "puNotBefore"; + public static final String VAL_NOT_AFTER = "puNotAfter"; + + public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss"; + private long mDefault = 86400000; // 1 days + + public PrivateKeyUsagePeriodExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_NOT_BEFORE); + addValueName(VAL_NOT_AFTER); + + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_START_TIME); + addConfigName(CONFIG_DURATION); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_START_TIME)) { + return new Descriptor(IDescriptor.STRING, null, + "0", + CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_START_TIME")); + } else if (name.equals(CONFIG_DURATION)) { + return new Descriptor(IDescriptor.STRING, null, + "365", + CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE")); + } else { + return null; + } + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_START_TIME)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_START_TIME)); + } + } else if (name.equals(CONFIG_DURATION)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_DURATION)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_NOT_BEFORE)) { + return new Descriptor(IDescriptor.STRING, null, + "0", + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE")); + } else if (name.equals(VAL_NOT_AFTER)) { + return new Descriptor(IDescriptor.STRING, null, + "30", + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + PrivateKeyUsageExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ObjectIdentifier oid = PKIXExtensions.PrivateKeyUsage_Id; + + ext = (PrivateKeyUsageExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + + ext = (PrivateKeyUsageExtension) + getExtension(oid.toString(), info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + + ext = (PrivateKeyUsageExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + return; + } + ext.set(PrivateKeyUsageExtension.NOT_BEFORE, date); + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + + ext = (PrivateKeyUsageExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + return; + } + ext.set(PrivateKeyUsageExtension.NOT_AFTER, date); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(ext.getExtensionId().toString(), ext, info); + } catch (EProfileException e) { + CMS.debug("PrivateKeyUsageExtension: setValue " + e.toString()); + } catch (Exception e) { + CMS.debug("PrivateKeyUsageExtension: setValue " + e.toString()); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + PrivateKeyUsageExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ObjectIdentifier oid = PKIXExtensions.PrivateKeyUsage_Id; + + ext = (PrivateKeyUsageExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + + ext = (PrivateKeyUsageExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + + ext = (PrivateKeyUsageExtension) + getExtension(oid.toString(), info); + + if (ext == null) + return ""; + + return formatter.format(ext.getNotBefore()); + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + + ext = (PrivateKeyUsageExtension) + getExtension(oid.toString(), info); + + if (ext == null) + return ""; + + return formatter.format(ext.getNotAfter()); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_START_TIME), + getConfig(CONFIG_DURATION) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_PRIVATE_KEY_EXT", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + PrivateKeyUsageExtension ext = createExtension(); + + addExtension(ext.getExtensionId().toString(), ext, info); + } + + public PrivateKeyUsageExtension createExtension() { + PrivateKeyUsageExtension ext = null; + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + // always + 60 seconds + String startTimeStr = getConfig(CONFIG_START_TIME); + + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } + int startTime = Integer.parseInt(startTimeStr); + Date notBefore = new Date(CMS.getCurrentDate().getTime() + + (1000 * startTime)); + long notAfterVal = 0; + + notAfterVal = notBefore.getTime() + + (mDefault * Integer.parseInt(getConfig(CONFIG_DURATION))); + Date notAfter = new Date(notAfterVal); + + ext = new PrivateKeyUsageExtension(notBefore, notAfter); + ext.setCritical(critical); + } catch (Exception e) { + CMS.debug("PrivateKeyUsagePeriodExt: createExtension " + + e.toString()); + } + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/SigningAlgDefault.java b/base/common/src/com/netscape/cms/profile/def/SigningAlgDefault.java new file mode 100644 index 000000000..11da93fc8 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/SigningAlgDefault.java @@ -0,0 +1,183 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.util.Locale; + +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateAlgorithmId; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a signing algorithm + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class SigningAlgDefault extends EnrollDefault { + + public static final String CONFIG_ALGORITHM = "signingAlg"; + + public static final String VAL_ALGORITHM = "signingAlg"; + public static final String DEF_CONFIG_ALGORITHMS = + "-,MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA"; + + public SigningAlgDefault() { + super(); + addConfigName(CONFIG_ALGORITHM); + addValueName(VAL_ALGORITHM); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_ALGORITHM)) { + return new Descriptor(IDescriptor.CHOICE, DEF_CONFIG_ALGORITHMS, + "SHA256withRSA", + CMS.getUserMessage(locale, "CMS_PROFILE_SIGNING_ALGORITHM")); + } else { + return null; + } + } + + public String getSigningAlg() { + String signingAlg = getConfig(CONFIG_ALGORITHM); + // if specified, use the specified one. Otherwise, pick + // the best selection for the user + if (signingAlg == null || signingAlg.equals("") || + signingAlg.equals("-")) { + // best pick for the user + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + return ca.getDefaultAlgorithm(); + } else { + return signingAlg; + } + } + + public String getDefSigningAlgorithms() { + StringBuffer allowed = new StringBuffer(); + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + String algos[] = ca.getCASigningAlgorithms(); + for (int i = 0; i < algos.length; i++) { + if (allowed.length() == 0) { + allowed.append(algos[i]); + } else { + allowed.append(","); + allowed.append(algos[i]); + } + } + return allowed.toString(); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_ALGORITHM)) { + String allowed = getDefSigningAlgorithms(); + return new Descriptor(IDescriptor.CHOICE, + allowed, null, + CMS.getUserMessage(locale, "CMS_PROFILE_SIGNING_ALGORITHM")); + } + return null; + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_ALGORITHM)) { + try { + info.set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId( + AlgorithmId.getAlgorithmId(value))); + } catch (Exception e) { + CMS.debug("SigningAlgDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + + if (name == null) + throw new EPropertyException("Invalid name " + name); + + if (name.equals(VAL_ALGORITHM)) { + CertificateAlgorithmId algId = null; + + try { + algId = (CertificateAlgorithmId) + info.get(X509CertInfo.ALGORITHM_ID); + AlgorithmId id = (AlgorithmId) + algId.get(CertificateAlgorithmId.ALGORITHM); + + return id.toString(); + } catch (Exception e) { + CMS.debug("SigningAlgDefault: getValue " + e.toString()); + } + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SIGNING_ALGORITHM", + getSigningAlg()); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + try { + info.set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId( + AlgorithmId.getAlgorithmId(getSigningAlg()))); + } catch (Exception e) { + CMS.debug("SigningAlgDefault: populate " + e.toString()); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java new file mode 100644 index 000000000..d3838577e --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java @@ -0,0 +1,542 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.UUID; + +import netscape.security.x509.GeneralNameInterface; +import netscape.security.x509.GeneralNames; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.SubjectAlternativeNameExtension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IAttrSet; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.pattern.Pattern; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a subject alternative name extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class SubjectAltNameExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "subjAltNameExtCritical"; + public static final String CONFIG_NUM_GNS = "subjAltNameNumGNs"; + public static final String CONFIG_GN_ENABLE = "subjAltExtGNEnable_"; + public static final String CONFIG_TYPE = "subjAltExtType_"; + public static final String CONFIG_PATTERN = "subjAltExtPattern_"; + public static final String CONFIG_SOURCE = "subjAltExtSource_"; + public static final String CONFIG_SOURCE_UUID4 = "UUID4"; + + public static final String CONFIG_OLD_TYPE = "subjAltExtType"; + public static final String CONFIG_OLD_PATTERN = "subjAltExtPattern"; + + public static final String VAL_CRITICAL = "subjAltNameExtCritical"; + public static final String VAL_GENERAL_NAMES = "subjAltNames"; + + private static final String GN_ENABLE = "Enable"; + private static final String GN_TYPE = "Pattern Type"; + private static final String GN_PATTERN = "Pattern"; + + private static final int DEF_NUM_GN = 1; + private static final int MAX_NUM_GN = 100; + + public SubjectAltNameExtDefault() { + super(); + } + + protected int getNumGNs() { + int num = DEF_NUM_GN; + String numGNs = getConfig(CONFIG_NUM_GNS); + + if (numGNs != null) { + try { + num = Integer.parseInt(numGNs); + } catch (NumberFormatException e) { + // ignore + } + } + + if (num >= MAX_NUM_GN) + num = DEF_NUM_GN; + return num; + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + + super.init(profile, config); + refreshConfigAndValueNames(); + // migrate old parameters to new parameters + String old_type = null; + String old_pattern = null; + IConfigStore paramConfig = config.getSubStore("params"); + try { + if (paramConfig != null) { + old_type = paramConfig.getString(CONFIG_OLD_TYPE); + } + } catch (EBaseException e) { + // nothing to do here + } + CMS.debug("SubjectAltNameExtDefault: Upgrading old_type=" + + old_type); + try { + if (paramConfig != null) { + old_pattern = paramConfig.getString(CONFIG_OLD_PATTERN); + } + } catch (EBaseException e) { + // nothing to do here + } + CMS.debug("SubjectAltNameExtDefault: Upgrading old_pattern=" + + old_pattern); + if (old_type != null && old_pattern != null) { + CMS.debug("SubjectAltNameExtDefault: Upgrading"); + try { + paramConfig.putString(CONFIG_NUM_GNS, "1"); + paramConfig.putString(CONFIG_GN_ENABLE + "0", "true"); + paramConfig.putString(CONFIG_TYPE + "0", old_type); + paramConfig.putString(CONFIG_PATTERN + "0", old_pattern); + paramConfig.remove(CONFIG_OLD_TYPE); + paramConfig.remove(CONFIG_OLD_PATTERN); + profile.getConfigStore().commit(true); + } catch (Exception e) { + CMS.debug("SubjectAltNameExtDefault: Failed to upgrade " + e); + } + } + } + + public void setConfig(String name, String value) + throws EPropertyException { + int num = 0; + if (name.equals(CONFIG_NUM_GNS)) { + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_GN || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_GNS)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_GNS)); + } + } + super.setConfig(name, value); + } + + public Enumeration getConfigNames() { + refreshConfigAndValueNames(); + return super.getConfigNames(); + } + + protected void refreshConfigAndValueNames() { + super.refreshConfigAndValueNames(); + + addValueName(VAL_CRITICAL); + addValueName(VAL_GENERAL_NAMES); + + addConfigName(CONFIG_CRITICAL); + int num = getNumGNs(); + addConfigName(CONFIG_NUM_GNS); + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_TYPE + i); + addConfigName(CONFIG_PATTERN + i); + addConfigName(CONFIG_GN_ENABLE + i); + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.startsWith(CONFIG_TYPE)) { + return new Descriptor(IDescriptor.CHOICE, + "RFC822Name,DNSName,DirectoryName,EDIPartyName,URIName,IPAddress,OIDName,OtherName", + "RFC822Name", + CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_ALT_NAME_TYPE")); + } else if (name.startsWith(CONFIG_PATTERN)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_ALT_NAME_PATTERN")); + } else if (name.startsWith(CONFIG_GN_ENABLE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_GN_ENABLE")); + } else if (name.startsWith(CONFIG_NUM_GNS)) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_GNS")); + } + + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_GENERAL_NAMES)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_GENERAL_NAMES")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + SubjectAlternativeNameExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = + (SubjectAlternativeNameExtension) + getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + ext = + (SubjectAlternativeNameExtension) + getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info); + + if (ext == null) { + // it is ok, the extension is never populated or delted + return; + } + boolean critical = Boolean.valueOf(value).booleanValue(); + + ext.setCritical(critical); + } else if (name.equals(VAL_GENERAL_NAMES)) { + ext = + (SubjectAlternativeNameExtension) + getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info); + + if (ext == null) { + // it is ok, the extension is never populated or delted + return; + } + if (value.equals("")) { + // if value is empty, do not add this extension + deleteExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info); + return; + } + GeneralNames gn = new GeneralNames(); + StringTokenizer st = new StringTokenizer(value, "\r\n"); + + while (st.hasMoreTokens()) { + String gname = (String) st.nextToken(); + CMS.debug("SubjectAltNameExtDefault: setValue GN:" + gname); + + if (!isGeneralNameValid(gname)) { + continue; + } + GeneralNameInterface n = parseGeneralName(gname); + if (n != null) { + gn.addElement(n); + } + } + if (gn.size() == 0) { + CMS.debug("GN size is zero"); + deleteExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info); + return; + } else { + CMS.debug("GN size is non zero (" + gn.size() + ")"); + ext.set(SubjectAlternativeNameExtension.SUBJECT_NAME, gn); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + replaceExtension( + PKIXExtensions.SubjectAlternativeName_Id.toString(), + ext, info); + } catch (IOException e) { + CMS.debug("SubjectAltNameExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (EProfileException e) { + CMS.debug("SubjectAltNameExtDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + try { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + SubjectAlternativeNameExtension ext = + (SubjectAlternativeNameExtension) + getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = + (SubjectAlternativeNameExtension) + getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_GENERAL_NAMES)) { + ext = + (SubjectAlternativeNameExtension) + getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info); + if (ext == null) { + return null; + } + + GeneralNames names = (GeneralNames) + ext.get(SubjectAlternativeNameExtension.SUBJECT_NAME); + StringBuffer sb = new StringBuffer(); + Enumeration e = names.elements(); + + while (e.hasMoreElements()) { + GeneralNameInterface gn = e.nextElement(); + + if (!sb.toString().equals("")) { + sb.append("\r\n"); + } + sb.append(toGeneralNameString(gn)); + CMS.debug("SubjectAltNameExtDefault: getValue append GN:" + toGeneralNameString(gn)); + } + return sb.toString(); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } catch (IOException e) { + CMS.debug("SubjectAltNameExtDefault: getValue " + + e.toString()); + } + return null; + } + + /* + * returns text that goes into description for this extension on + * a profile + */ + public String getText(Locale locale) { + StringBuffer sb = new StringBuffer(); + int num = getNumGNs(); + + for (int i = 0; i < num; i++) { + sb.append("Record #"); + sb.append(i); + sb.append("{"); + sb.append(GN_PATTERN + ":"); + sb.append(getConfig(CONFIG_PATTERN + i)); + sb.append(","); + sb.append(GN_TYPE + ":"); + sb.append(getConfig(CONFIG_TYPE + i)); + sb.append(","); + sb.append(GN_ENABLE + ":"); + sb.append(getConfig(CONFIG_GN_ENABLE + i)); + sb.append("}"); + } + ; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SUBJECT_ALT_NAME_EXT", getConfig(CONFIG_CRITICAL), + sb.toString()); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + SubjectAlternativeNameExtension ext = null; + + try { + /* read from config file*/ + ext = createExtension(request); + + } catch (IOException e) { + CMS.debug("SubjectAltNameExtDefault: populate " + e.toString()); + } + if (ext != null) { + addExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), + ext, info); + } else { + CMS.debug("SubjectAltNameExtDefault: populate sees no extension. get out"); + } + } + + public SubjectAlternativeNameExtension createExtension(IRequest request) + throws IOException { + SubjectAlternativeNameExtension ext = null; + int num = getNumGNs(); + + boolean critical = Boolean.valueOf( + getConfig(CONFIG_CRITICAL)).booleanValue(); + + GeneralNames gn = new GeneralNames(); + int count = 0; // # of actual gnames + for (int i = 0; i < num; i++) { + String enable = getConfig(CONFIG_GN_ENABLE + i); + if (enable != null && enable.equals("true")) { + CMS.debug("SubjectAltNameExtDefault: createExtension i=" + i); + + String pattern = getConfig(CONFIG_PATTERN + i); + if (pattern == null || pattern.equals("")) { + pattern = " "; + } + + if (!pattern.equals("")) { + String gname = ""; + + // cfu - see if this is server-generated (e.g. UUID4) + // to use this feature, use $server.source$ in pattern + String source = getConfig(CONFIG_SOURCE + i); + String type = getConfig(CONFIG_TYPE + i); + if ((source != null) && (!source.equals(""))) { + if (type.equalsIgnoreCase("OtherName")) { + CMS.debug("SubjectAlternativeNameExtension: using " + + source + " as gn"); + if (source.equals(CONFIG_SOURCE_UUID4)) { + UUID randUUID = UUID.randomUUID(); + // call the mapPattern that does server-side gen + // request is not used, but needed for the substitute + // function + gname = mapPattern(randUUID.toString(), request, pattern); + } else { //expand more server-gen types here + CMS.debug("SubjectAltNameExtDefault: createExtension - unsupported server-generated type: " + + source + ". Supported: UUID4"); + continue; + } + } else { + CMS.debug("SubjectAltNameExtDefault: createExtension - source is only supported for subjAltExtType OtherName"); + continue; + } + } else { + if (request != null) { + gname = mapPattern(request, pattern); + } + } + + if (gname.equals("")) { + CMS.debug("gname is empty, not added"); + continue; + } + CMS.debug("SubjectAltNameExtDefault: createExtension got gname=" + gname); + + GeneralNameInterface n = parseGeneralName(type + ":" + gname); + + CMS.debug("adding gname: " + gname); + if (n != null) { + CMS.debug("SubjectAlternativeNameExtension: n not null"); + gn.addElement(n); + count++; + } else { + CMS.debug("SubjectAlternativeNameExtension: n null"); + } + } + } + } //for + + if (count != 0) { + try { + ext = new SubjectAlternativeNameExtension(); + } catch (Exception e) { + CMS.debug(e.toString()); + throw new IOException(e.toString()); + } + ext.set(SubjectAlternativeNameExtension.SUBJECT_NAME, gn); + ext.setCritical(critical); + } else { + CMS.debug("count is 0"); + } + return ext; + } + + public String mapPattern(IRequest request, String pattern) + throws IOException { + Pattern p = new Pattern(pattern); + IAttrSet attrSet = null; + if (request != null) { + attrSet = request.asIAttrSet(); + } + return p.substitute("request", attrSet); + } + + // for server-side generated values + public String mapPattern(String val, IRequest request, String pattern) + throws IOException { + Pattern p = new Pattern(pattern); + IAttrSet attrSet = null; + if (request != null) { + attrSet = request.asIAttrSet(); + } + try { + attrSet.set("source", val); + } catch (Exception e) { + CMS.debug("SubjectAlternativeNameExtension: mapPattern source " + e.toString()); + } + + return p.substitute("server", attrSet); + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectDirAttributesExtDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectDirAttributesExtDefault.java new file mode 100644 index 000000000..cca5ab234 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/SubjectDirAttributesExtDefault.java @@ -0,0 +1,527 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.Vector; + +import netscape.security.util.DerValue; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.AVAValueConverter; +import netscape.security.x509.Attribute; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.SubjectDirAttributesExtension; +import netscape.security.x509.X500NameAttrMap; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a subject directory attributes extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class SubjectDirAttributesExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "subjDirAttrsCritical"; + public static final String CONFIG_NUM_ATTRS = "subjDirAttrsNum"; + public static final String CONFIG_ATTR_NAME = "subjDirAttrName_"; + public static final String CONFIG_PATTERN = "subjDirAttrPattern_"; + public static final String CONFIG_ENABLE = "subjDirAttrEnable_"; + + public static final String VAL_CRITICAL = "subjDirAttrCritical"; + public static final String VAL_ATTR = "subjDirAttrValue"; + + private static final int DEF_NUM_ATTRS = 1; + private static final int MAX_NUM_ATTRS = 100; + private static final String ENABLE = "Enable"; + private static final String ATTR_NAME = "Attribute Name"; + private static final String ATTR_VALUE = "Attribute Value"; + + public SubjectDirAttributesExtDefault() { + super(); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + refreshConfigAndValueNames(); + } + + protected int getNumAttrs() { + int num = DEF_NUM_ATTRS; + String val = getConfig(CONFIG_NUM_ATTRS); + + if (val != null) { + try { + num = Integer.parseInt(val); + } catch (NumberFormatException e) { + // ignore + } + } + + if (num >= MAX_NUM_ATTRS) + num = DEF_NUM_ATTRS; + + return num; + } + + public void setConfig(String name, String value) + throws EPropertyException { + int num = 0; + if (name.equals(DEF_NUM_ATTRS)) { + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_ATTRS || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_ATTRS)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_ATTRS)); + } + } + super.setConfig(name, value); + } + + public Enumeration getConfigNames() { + refreshConfigAndValueNames(); + return super.getConfigNames(); + } + + protected void refreshConfigAndValueNames() { + super.refreshConfigAndValueNames(); + + addValueName(VAL_CRITICAL); + addValueName(VAL_ATTR); + + addConfigName(CONFIG_CRITICAL); + int num = getNumAttrs(); + addConfigName(CONFIG_NUM_ATTRS); + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_ATTR_NAME + i); + addConfigName(CONFIG_PATTERN + i); + addConfigName(CONFIG_ENABLE + i); + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.startsWith(CONFIG_ATTR_NAME)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_ATTRS")); + } else if (name.startsWith(CONFIG_ATTR_NAME)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ATTR_NAME")); + } else if (name.startsWith(CONFIG_PATTERN)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ATTR_VALUE")); + } else if (name.startsWith(CONFIG_ENABLE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_ENABLE")); + } else if (name.startsWith(CONFIG_NUM_ATTRS)) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_ATTRS")); + } + + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_ATTR)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SUBJDIR_ATTRS")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + SubjectDirAttributesExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (SubjectDirAttributesExtension) + getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(), + info); + + if (name.equals(VAL_CRITICAL)) { + ext = (SubjectDirAttributesExtension) + getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(), + info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_ATTR)) { + ext = (SubjectDirAttributesExtension) + getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(), + info); + + if (ext == null) { + return; + } + Vector v = parseRecords(value); + int size = v.size(); + + boolean critical = ext.isCritical(); + + Vector attrV = new Vector(); + for (int i = 0; i < size; i++) { + NameValuePairs nvps = v.elementAt(i); + String attrName = null; + String attrValue = null; + String enable = "false"; + + for (String name1 : nvps.keySet()) { + + if (name1.equals(ATTR_NAME)) { + attrName = nvps.get(name1); + } else if (name1.equals(ATTR_VALUE)) { + attrValue = nvps.get(name1); + } else if (name1.equals(ENABLE)) { + enable = nvps.get(name1); + } + } + + if (enable.equals("true")) { + AttributeConfig attributeConfig = + new AttributeConfig(attrName, attrValue); + Attribute attr = attributeConfig.mAttribute; + if (attr != null) + attrV.addElement(attr); + } + } + + if (attrV.size() > 0) { + Attribute[] attrList = new Attribute[attrV.size()]; + attrV.copyInto(attrList); + ext = new SubjectDirAttributesExtension(attrList, critical); + } else + return; + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(), + ext, info); + } catch (EProfileException e) { + CMS.debug("SubjectDirAttributesExtDefault: setValue " + + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (IOException e) { + CMS.debug("SubjectDirAttributesExtDefault: setValue " + + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + SubjectDirAttributesExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + ext = (SubjectDirAttributesExtension) + getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(), + info); + + if (name.equals(VAL_CRITICAL)) { + ext = (SubjectDirAttributesExtension) + getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(), + info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_ATTR)) { + ext = (SubjectDirAttributesExtension) + getExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(), + info); + + if (ext == null) + return ""; + + X500NameAttrMap map = X500NameAttrMap.getDefault(); + + Vector recs = new Vector(); + int num = getNumAttrs(); + Enumeration e = ext.getAttributesList(); + CMS.debug("SubjectDirAttributesExtDefault: getValue: attributesList=" + e); + int i = 0; + + while (e.hasMoreElements()) { + NameValuePairs pairs = new NameValuePairs(); + pairs.put(ENABLE, "true"); + Attribute attr = e.nextElement(); + CMS.debug("SubjectDirAttributesExtDefault: getValue: attribute=" + attr); + ObjectIdentifier oid = attr.getOid(); + CMS.debug("SubjectDirAttributesExtDefault: getValue: oid=" + oid); + + String vv = map.getName(oid); + + if (vv != null) + pairs.put(ATTR_NAME, vv); + else + pairs.put(ATTR_NAME, oid.toString()); + Enumeration v = attr.getValues(); + + // just support single value for now + StringBuffer ss = new StringBuffer(); + while (v.hasMoreElements()) { + if (ss.length() == 0) + ss.append((String) (v.nextElement())); + else { + ss.append(","); + ss.append((String) (v.nextElement())); + } + } + + pairs.put(ATTR_VALUE, ss.toString()); + recs.addElement(pairs); + i++; + } + + for (; i < num; i++) { + NameValuePairs pairs = new NameValuePairs(); + pairs.put(ENABLE, "false"); + pairs.put(ATTR_NAME, "GENERATIONQUALIFIER"); + pairs.put(ATTR_VALUE, ""); + recs.addElement(pairs); + } + + return buildRecords(recs); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + StringBuffer sb = new StringBuffer(); + int num = getNumAttrs(); + + for (int i = 0; i < num; i++) { + sb.append("Record #"); + sb.append(i); + sb.append("{"); + sb.append(ATTR_NAME + ":"); + sb.append(getConfig(CONFIG_ATTR_NAME + i)); + sb.append(","); + sb.append(ATTR_VALUE + ":"); + sb.append(getConfig(CONFIG_PATTERN + i)); + sb.append(","); + sb.append(ENABLE + ":"); + sb.append(getConfig(CONFIG_ENABLE + i)); + sb.append("}"); + } + return CMS.getUserMessage(locale, + "CMS_PROFILE_DEF_SUBJECT_DIR_ATTR_EXT", + getConfig(CONFIG_CRITICAL), + sb.toString()); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + SubjectDirAttributesExtension ext = createExtension(request); + + if (ext == null) + return; + + addExtension(PKIXExtensions.SubjectDirectoryAttributes_Id.toString(), + ext, info); + } + + public SubjectDirAttributesExtension createExtension(IRequest request) + throws EProfileException { + SubjectDirAttributesExtension ext = null; + int num = 0; + + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + num = getNumAttrs(); + + AttributeConfig attributeConfig = null; + Vector attrs = new Vector(); + for (int i = 0; i < num; i++) { + String enable = getConfig(CONFIG_ENABLE + i); + if (enable != null && enable.equals("true")) { + String attrName = getConfig(CONFIG_ATTR_NAME + i); + String pattern = getConfig(CONFIG_PATTERN + i); + if (pattern == null || pattern.equals("")) + pattern = " "; + + //check pattern syntax + int startpos = pattern.indexOf("$"); + int lastpos = pattern.lastIndexOf("$"); + String attrValue = pattern; + if (!pattern.equals("") && startpos != -1 && + startpos == 0 && lastpos != -1 && + lastpos == (pattern.length() - 1)) { + if (request != null) { + try { + attrValue = mapPattern(request, pattern); + } catch (IOException e) { + throw new EProfileException(e.toString()); + } + } + } + try { + attributeConfig = new AttributeConfig(attrName, attrValue); + } catch (EPropertyException e) { + throw new EProfileException(e.toString()); + } + Attribute attr = attributeConfig.mAttribute; + if (attr != null) { + attrs.addElement(attr); + } + } + } + + if (attrs.size() > 0) { + Attribute[] attrList = new Attribute[attrs.size()]; + attrs.copyInto(attrList); + try { + ext = + new SubjectDirAttributesExtension(attrList, critical); + } catch (IOException e) { + throw new EProfileException(e.toString()); + } + } + + return ext; + } +} + +class AttributeConfig { + + protected ObjectIdentifier mAttributeOID = null; + protected Attribute mAttribute = null; + + public AttributeConfig(String attrName, String attrValue) + throws EPropertyException { + X500NameAttrMap map = X500NameAttrMap.getDefault(); + + if (attrName == null || attrName.length() == 0) { + throw new EPropertyException( + CMS.getUserMessage("CMS_PROFILE_SUBJDIR_EMPTY_ATTRNAME", attrName)); + } + + if (attrValue == null || attrValue.length() == 0) { + throw new EPropertyException( + CMS.getUserMessage("CMS_PROFILE_SUBJDIR_EMPTY_ATTRVAL", attrValue)); + } + + try { + mAttributeOID = new ObjectIdentifier(attrName); + } catch (Exception e) { + CMS.debug("SubjectDirAttributesExtDefault: invalid OID syntax: " + attrName); + } + + if (mAttributeOID == null) { + mAttributeOID = map.getOid(attrName); + if (mAttributeOID == null) + throw new EPropertyException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", attrName)); + try { + checkValue(mAttributeOID, attrValue); + } catch (IOException e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTR_VALUE", e.getMessage())); + } + } + + try { + mAttribute = new Attribute(mAttributeOID, + str2MultiValues(attrValue)); + } catch (IOException e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTR_VALUE", e.getMessage())); + } + } + + private static void checkValue(ObjectIdentifier oid, String val) + throws IOException { + AVAValueConverter c = X500NameAttrMap.getDefault().getValueConverter(oid); + + @SuppressWarnings("unused") + DerValue derval = c.getValue(val); // check for errors + return; + } + + private Vector str2MultiValues(String attrValue) { + StringTokenizer tokenizer = new StringTokenizer(attrValue, ","); + Vector v = new Vector(); + while (tokenizer.hasMoreTokens()) { + v.addElement(tokenizer.nextToken()); + } + + return v; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectInfoAccessExtDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectInfoAccessExtDefault.java new file mode 100644 index 000000000..8ea7533cc --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/SubjectInfoAccessExtDefault.java @@ -0,0 +1,448 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.extensions.AccessDescription; +import netscape.security.extensions.SubjectInfoAccessExtension; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.GeneralName; +import netscape.security.x509.GeneralNameInterface; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.common.NameValuePairs; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates Subject Info Access extension. + * + * @version $Revision$, $Date$ + */ +public class SubjectInfoAccessExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "subjInfoAccessCritical"; + public static final String CONFIG_NUM_ADS = "subjInfoAccessNumADs"; + public static final String CONFIG_AD_ENABLE = "subjInfoAccessADEnable_"; + public static final String CONFIG_AD_METHOD = "subjInfoAccessADMethod_"; + public static final String CONFIG_AD_LOCATIONTYPE = "subjInfoAccessADLocationType_"; + public static final String CONFIG_AD_LOCATION = "subjInfoAccessADLocation_"; + + public static final String VAL_CRITICAL = "subjInfoAccessCritical"; + public static final String VAL_GENERAL_NAMES = "subjInfoAccessGeneralNames"; + + private static final String AD_METHOD = "Method"; + private static final String AD_LOCATION_TYPE = "Location Type"; + private static final String AD_LOCATION = "Location"; + private static final String AD_ENABLE = "Enable"; + + private static final int DEF_NUM_AD = 1; + private static final int MAX_NUM_AD = 100; + + public SubjectInfoAccessExtDefault() { + super(); + } + + protected int getNumAds() { + int num = DEF_NUM_AD; + String numAds = getConfig(CONFIG_NUM_ADS); + + if (numAds != null) { + try { + num = Integer.parseInt(numAds); + } catch (NumberFormatException e) { + // ignore + } + } + if (num >= MAX_NUM_AD) + num = DEF_NUM_AD; + + return num; + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + refreshConfigAndValueNames(); + } + + public void setConfig(String name, String value) + throws EPropertyException { + int num = 0; + if (name.equals(CONFIG_NUM_ADS)) { + try { + num = Integer.parseInt(value); + + if (num >= MAX_NUM_AD || num < 0) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_ADS)); + } + + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NUM_ADS)); + } + } + super.setConfig(name, value); + } + + public Enumeration getConfigNames() { + refreshConfigAndValueNames(); + return super.getConfigNames(); + } + + protected void refreshConfigAndValueNames() { + super.refreshConfigAndValueNames(); + + addValueName(VAL_CRITICAL); + addValueName(VAL_GENERAL_NAMES); + + // register configuration names bases on num ads + addConfigName(CONFIG_CRITICAL); + int num = getNumAds(); + addConfigName(CONFIG_NUM_ADS); + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_AD_METHOD + i); + addConfigName(CONFIG_AD_LOCATIONTYPE + i); + addConfigName(CONFIG_AD_LOCATION + i); + addConfigName(CONFIG_AD_ENABLE + i); + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.startsWith(CONFIG_AD_METHOD)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_AD_METHOD")); + } else if (name.startsWith(CONFIG_AD_LOCATIONTYPE)) { + return new Descriptor(IDescriptor.CHOICE, + "RFC822Name,DNSName,DirectoryName,EDIPartyName,URIName,IPAddress,OIDName", + "URIName", + CMS.getUserMessage(locale, "CMS_PROFILE_AD_LOCATIONTYPE")); + } else if (name.startsWith(CONFIG_AD_LOCATION)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_AD_LOCATION")); + } else if (name.startsWith(CONFIG_AD_ENABLE)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_AD_ENABLE")); + } else if (name.startsWith(CONFIG_NUM_ADS)) { + return new Descriptor(IDescriptor.INTEGER, null, + "1", + CMS.getUserMessage(locale, "CMS_PROFILE_NUM_ADS")); + } + return null; + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_GENERAL_NAMES)) { + return new Descriptor(IDescriptor.STRING_LIST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_GENERAL_NAMES")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + try { + SubjectInfoAccessExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + SubjectInfoAccessExtension a = new SubjectInfoAccessExtension(false); + ObjectIdentifier oid = a.getExtensionId(); + + ext = (SubjectInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + populate(null, info); + } + + if (name.equals(VAL_CRITICAL)) { + + ext = (SubjectInfoAccessExtension) + getExtension(oid.toString(), info); + boolean val = Boolean.valueOf(value).booleanValue(); + + if (ext == null) { + return; + } + ext.setCritical(val); + } else if (name.equals(VAL_GENERAL_NAMES)) { + + ext = (SubjectInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + return; + } + boolean critical = ext.isCritical(); + + Vector v = parseRecords(value); + int size = v.size(); + + ext = new SubjectInfoAccessExtension(critical); + String method = null; + String locationType = null; + String location = null; + String enable = null; + + for (int i = 0; i < size; i++) { + NameValuePairs nvps = v.elementAt(i); + + for (String name1 : nvps.keySet()) { + + if (name1.equals(AD_METHOD)) { + method = nvps.get(name1); + } else if (name1.equals(AD_LOCATION_TYPE)) { + locationType = nvps.get(name1); + } else if (name1.equals(AD_LOCATION)) { + location = nvps.get(name1); + } else if (name1.equals(AD_ENABLE)) { + enable = nvps.get(name1); + } + } + + if (enable != null && enable.equals("true")) { + GeneralName gn = null; + + if (locationType != null || location != null) { + GeneralNameInterface interface1 = parseGeneralName(locationType + ":" + location); + if (interface1 == null) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", locationType)); + gn = new GeneralName(interface1); + } + + if (method != null) { + try { + ext.addAccessDescription(new ObjectIdentifier(method), gn); + } catch (NumberFormatException ee) { + CMS.debug("SubjectInfoAccessExtDefault: " + ee.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_PROFILE_DEF_SIA_OID", method)); + } + } + } + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + replaceExtension(ext.getExtensionId().toString(), ext, info); + } catch (IOException e) { + CMS.debug("SubjectInfoAccessExtDefault: " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } catch (EProfileException e) { + CMS.debug("SubjectInfoAccessExtDefault: " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + SubjectInfoAccessExtension ext = null; + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + SubjectInfoAccessExtension a = new SubjectInfoAccessExtension(false); + ObjectIdentifier oid = a.getExtensionId(); + + ext = (SubjectInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + CMS.debug("SubjectInfoAccessExtDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + if (name.equals(VAL_CRITICAL)) { + + ext = (SubjectInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_GENERAL_NAMES)) { + + ext = (SubjectInfoAccessExtension) + getExtension(oid.toString(), info); + + if (ext == null) + return ""; + + int num = getNumAds(); + + CMS.debug("SubjectInfoAccess num=" + num); + Vector recs = new Vector(); + + for (int i = 0; i < num; i++) { + NameValuePairs np = new NameValuePairs(); + AccessDescription des = null; + + if (i < ext.numberOfAccessDescription()) { + des = ext.getAccessDescription(i); + } + if (des == null) { + np.put(AD_METHOD, ""); + np.put(AD_LOCATION_TYPE, ""); + np.put(AD_LOCATION, ""); + np.put(AD_ENABLE, "false"); + } else { + ObjectIdentifier methodOid = des.getMethod(); + GeneralName gn = des.getLocation(); + + np.put(AD_METHOD, methodOid.toString()); + np.put(AD_LOCATION_TYPE, getGeneralNameType(gn)); + np.put(AD_LOCATION, getGeneralNameValue(gn)); + np.put(AD_ENABLE, "true"); + } + recs.addElement(np); + } + + return buildRecords(recs); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + StringBuffer ads = new StringBuffer(); + int num = getNumAds(); + + for (int i = 0; i < num; i++) { + ads.append("Record #"); + ads.append(i); + ads.append("{"); + ads.append(AD_METHOD + ":"); + ads.append(getConfig(CONFIG_AD_METHOD + i)); + ads.append(","); + ads.append(AD_LOCATION_TYPE + ":"); + ads.append(getConfig(CONFIG_AD_LOCATIONTYPE + i)); + ads.append(","); + ads.append(AD_LOCATION + ":"); + ads.append(getConfig(CONFIG_AD_LOCATION + i)); + ads.append(","); + ads.append(AD_ENABLE + ":"); + ads.append(getConfig(CONFIG_AD_ENABLE + i)); + ads.append("}"); + } + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SIA_TEXT", + getConfig(CONFIG_CRITICAL), ads.toString()); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + SubjectInfoAccessExtension ext = createExtension(); + + addExtension(ext.getExtensionId().toString(), ext, info); + } + + public SubjectInfoAccessExtension createExtension() { + SubjectInfoAccessExtension ext = null; + int num = getNumAds(); + + try { + boolean critical = getConfigBoolean(CONFIG_CRITICAL); + + ext = new SubjectInfoAccessExtension(critical); + for (int i = 0; i < num; i++) { + String enable = getConfig(CONFIG_AD_ENABLE + i); + if (enable != null && enable.equals("true")) { + CMS.debug("SubjectInfoAccess: createExtension i=" + i); + String method = getConfig(CONFIG_AD_METHOD + i); + String locationType = getConfig(CONFIG_AD_LOCATIONTYPE + i); + if (locationType == null || locationType.length() == 0) + locationType = "URIName"; + String location = getConfig(CONFIG_AD_LOCATION + i); + + if (location == null || location.equals("")) { + if (method.equals("1.3.6.1.5.5.7.48.1")) { + String hostname = CMS.getEENonSSLHost(); + String port = CMS.getEENonSSLPort(); + if (hostname != null && port != null) + location = "http://" + hostname + ":" + port + "/ocsp"; + } + } + + String s = locationType + ":" + location; + GeneralNameInterface gn = parseGeneralName(s); + if (gn != null) { + ext.addAccessDescription(new ObjectIdentifier(method), + new GeneralName(gn)); + } + } + } + } catch (Exception e) { + CMS.debug("SubjectInfoAccessExtDefault: createExtension " + + e.toString()); + } + + return ext; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java new file mode 100644 index 000000000..9476e45f6 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java @@ -0,0 +1,217 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Locale; + +import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.KeyIdentifier; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.SubjectKeyIdentifierExtension; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509Key; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a subject key identifier extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class SubjectKeyIdentifierExtDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "critical"; + + public static final String VAL_CRITICAL = "critical"; + public static final String VAL_KEY_ID = "keyid"; + + public SubjectKeyIdentifierExtDefault() { + super(); + addValueName(VAL_CRITICAL); + addValueName(VAL_KEY_ID); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CRITICAL)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(VAL_KEY_ID)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_ID")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_CRITICAL)) { + // read-only; do nothing + } else if (name.equals(VAL_KEY_ID)) { + // read-only; do nothing + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + SubjectKeyIdentifierExtension ext = + (SubjectKeyIdentifierExtension) getExtension( + PKIXExtensions.SubjectKey_Id.toString(), info); + + if (ext == null) { + try { + populate(null, info); + + } catch (EProfileException e) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + if (name.equals(VAL_CRITICAL)) { + ext = + (SubjectKeyIdentifierExtension) getExtension( + PKIXExtensions.SubjectKey_Id.toString(), info); + + if (ext == null) { + return null; + } + if (ext.isCritical()) { + return "true"; + } else { + return "false"; + } + } else if (name.equals(VAL_KEY_ID)) { + ext = + (SubjectKeyIdentifierExtension) getExtension( + PKIXExtensions.SubjectKey_Id.toString(), info); + + if (ext == null) { + return null; + } + KeyIdentifier kid = null; + + try { + kid = (KeyIdentifier) + ext.get(SubjectKeyIdentifierExtension.KEY_ID); + } catch (IOException e) { + CMS.debug("SubjectKeyIdentifierExtDefault::getValue() - " + + "kid is null!"); + throw new EPropertyException(CMS.getUserMessage(locale, + "CMS_INVALID_PROPERTY", + name)); + } + return toHexString(kid.getIdentifier()); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SUBJECT_KEY_ID_EXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + SubjectKeyIdentifierExtension ext = createExtension(info); + + addExtension(PKIXExtensions.SubjectKey_Id.toString(), ext, info); + } + + public SubjectKeyIdentifierExtension createExtension(X509CertInfo info) { + KeyIdentifier kid = getKeyIdentifier(info); + + if (kid == null) { + CMS.debug("SubjectKeyIdentifierExtDefault: KeyIdentifier not found"); + return null; + } + SubjectKeyIdentifierExtension ext = null; + + boolean critical = Boolean.valueOf(getConfig(CONFIG_CRITICAL)).booleanValue(); + + try { + ext = new SubjectKeyIdentifierExtension(critical, kid.getIdentifier()); + } catch (IOException e) { + CMS.debug("SubjectKeyIdentifierExtDefault: createExtension " + + e.toString()); + // + } + return ext; + } + + public KeyIdentifier getKeyIdentifier(X509CertInfo info) { + try { + CertificateX509Key infokey = (CertificateX509Key) + info.get(X509CertInfo.KEY); + X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY); + MessageDigest md = MessageDigest.getInstance("SHA-1"); + + md.update(key.getKey()); + byte[] hash = md.digest(); + + return new KeyIdentifier(hash); + } catch (NoSuchAlgorithmException e) { + CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " + + e.toString()); + } catch (Exception e) { + CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " + + e.toString()); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java new file mode 100644 index 000000000..479219b84 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java @@ -0,0 +1,184 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates server-side configurable subject name + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class SubjectNameDefault extends EnrollDefault { + + public static final String CONFIG_NAME = "name"; + + public static final String VAL_NAME = "name"; + + public SubjectNameDefault() { + super(); + addValueName(VAL_NAME); + addConfigName(CONFIG_NAME); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_NAME)) { + return new Descriptor(IDescriptor.STRING, + null, "CN=TEST", CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NAME)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + X500Name x500name = null; + + try { + x500name = new X500Name(value); + if (x500name != null) { + CMS.debug("SubjectNameDefault: setValue x500name=" + x500name.toString()); + } + } catch (IOException e) { + CMS.debug("SubjectNameDefault: setValue " + e.toString()); + // failed to build x500 name + } + CMS.debug("SubjectNameDefault: setValue name=" + x500name.toString()); + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(x500name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("SubjectNameDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + CertificateSubjectName sn = null; + + try { + CMS.debug("SubjectNameDefault: getValue info=" + info); + sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + CMS.debug("SubjectNameDefault: getValue name=" + sn); + return sn.toString(); + } catch (Exception e) { + // nothing + CMS.debug("SubjectNameDefault: getValue " + e.toString()); + + } + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_SUBJECT_NAME", + getConfig(CONFIG_NAME)); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + X500Name name = null; + + String subjectName = null; + + try { + subjectName = mapPattern(request, getConfig(CONFIG_NAME)); + } catch (IOException e) { + CMS.debug("SubjectNameDefault: mapPattern " + e.toString()); + } + + CMS.debug("subjectName=" + subjectName); + if (subjectName == null || subjectName.equals("")) + return; + try { + name = new X500Name(subjectName); + } catch (IOException e) { + // failed to build x500 name + CMS.debug("SubjectNameDefault: populate " + e.toString()); + } + if (name == null) { + // failed to build x500 name + } + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("SubjectNameDefault: populate " + e.toString()); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/UserExtensionDefault.java b/base/common/src/com/netscape/cms/profile/def/UserExtensionDefault.java new file mode 100644 index 000000000..46a78c731 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/UserExtensionDefault.java @@ -0,0 +1,136 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.util.Locale; + +import netscape.security.x509.CertificateExtensions; +import netscape.security.x509.Extension; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a user-supplied extension + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class UserExtensionDefault extends EnrollExtDefault { + + public static final String CONFIG_CRITICAL = "userExtCritical"; + public static final String CONFIG_OID = "userExtOID"; + + public static final String VAL_CRITICAL = "userExtCritical"; + public static final String VAL_OID = "userExtOID"; + + public UserExtensionDefault() { + super(); + addValueName(VAL_OID); + addConfigName(CONFIG_OID); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_OID)) { + return new Descriptor(IDescriptor.STRING, null, + "Comment Here...", + CMS.getUserMessage(locale, "CMS_PROFILE_OID")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_OID)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_OID")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + // Nothing to do for read-only values + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_OID)) { + Extension ext = getExtension(getConfig(CONFIG_OID), info); + + if (ext == null) { + // do something here + return ""; + } + return ext.getExtensionId().toString(); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_EXT", getConfig(CONFIG_OID)); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + CertificateExtensions inExts = null; + String oid = getConfig(CONFIG_OID); + + inExts = request.getExtDataInCertExts(IEnrollProfile.REQUEST_EXTENSIONS); + if (inExts == null) + return; + Extension ext = getExtension(getConfig(CONFIG_OID), inExts); + if (ext == null) { + CMS.debug("UserExtensionDefault: no user ext supplied for " + oid); + return; + } + + // user supplied the ext that's allowed, replace the def set by system + deleteExtension(oid, info); + CMS.debug("UserExtensionDefault: using user supplied ext for " + oid); + addExtension(oid, ext, info); + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/UserKeyDefault.java b/base/common/src/com/netscape/cms/profile/def/UserKeyDefault.java new file mode 100644 index 000000000..b1dc9d116 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/UserKeyDefault.java @@ -0,0 +1,233 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.ByteArrayInputStream; +import java.math.BigInteger; +import java.security.interfaces.DSAParams; +import java.util.Locale; + +import netscape.security.provider.DSAPublicKey; +import netscape.security.provider.RSAPublicKey; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.X509CertInfo; +import netscape.security.x509.X509Key; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a user supplied key + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class UserKeyDefault extends EnrollDefault { + + public static final String VAL_KEY = "KEY"; + public static final String VAL_LEN = "LEN"; + public static final String VAL_TYPE = "TYPE"; + + public UserKeyDefault() { + super(); + addValueName(VAL_TYPE); + addValueName(VAL_LEN); + addValueName(VAL_KEY); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_KEY)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_KEY")); + } else if (name.equals(VAL_LEN)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_LEN")); + } else if (name.equals(VAL_TYPE)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_KEY_TYPE")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + // this default rule is readonly + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_KEY)) { + CertificateX509Key ck = null; + + try { + ck = (CertificateX509Key) + info.get(X509CertInfo.KEY); + } catch (Exception e) { + // nothing + } + X509Key k = null; + + try { + k = (X509Key) + ck.get(CertificateX509Key.KEY); + } catch (Exception e) { + // nothing + } + if (k == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_PROFILE_KEY_NOT_FOUND")); + } + return toHexString(k.getKey()); + } else if (name.equals(VAL_LEN)) { + CertificateX509Key ck = null; + + try { + ck = (CertificateX509Key) + info.get(X509CertInfo.KEY); + } catch (Exception e) { + // nothing + } + X509Key k = null; + + try { + k = (X509Key) + ck.get(CertificateX509Key.KEY); + } catch (Exception e) { + // nothing + } + if (k == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_PROFILE_KEY_NOT_FOUND")); + } + try { + if (k.getAlgorithm().equals("RSA")) { + return Integer.toString(getRSAKeyLen(k)); + } else { + return Integer.toString(getDSAKeyLen(k)); + } + } catch (Exception e) { + CMS.debug("UserKeyDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_TYPE)) { + CertificateX509Key ck = null; + + try { + ck = (CertificateX509Key) + info.get(X509CertInfo.KEY); + } catch (Exception e) { + // nothing + } + X509Key k = null; + + try { + k = (X509Key) + ck.get(CertificateX509Key.KEY); + } catch (Exception e) { + // nothing + } + if (k == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_PROFILE_KEY_NOT_FOUND")); + } + return k.getAlgorithm() + " - " + + k.getAlgorithmId().getOID().toString(); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_KEY"); + } + + public int getRSAKeyLen(X509Key key) throws Exception { + X509Key newkey = null; + + try { + newkey = new X509Key(AlgorithmId.get("RSA"), + key.getKey()); + } catch (Exception e) { + CMS.debug("UserKeyDefault: getRSAKey " + e.toString()); + throw e; + } + RSAPublicKey rsaKey = new RSAPublicKey(newkey.getEncoded()); + + return rsaKey.getKeySize(); + } + + public int getDSAKeyLen(X509Key key) throws Exception { + // Check DSAKey parameters. + // size refers to the p parameter. + DSAPublicKey dsaKey = new DSAPublicKey(key.getEncoded()); + DSAParams keyParams = dsaKey.getParams(); + BigInteger p = keyParams.getP(); + int len = p.bitLength(); + + return len; + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + CertificateX509Key certKey = null; + // authenticate the certificate key, and move + // the key from request into x509 certinfo + try { + byte[] certKeyData = request.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); + if (certKeyData != null) { + certKey = new CertificateX509Key( + new ByteArrayInputStream(certKeyData)); + } + info.set(X509CertInfo.KEY, certKey); + } catch (Exception e) { + CMS.debug("UserKeyDefault: populate " + e.toString()); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/UserSigningAlgDefault.java b/base/common/src/com/netscape/cms/profile/def/UserSigningAlgDefault.java new file mode 100644 index 000000000..4aeed6ba3 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/UserSigningAlgDefault.java @@ -0,0 +1,126 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.ByteArrayInputStream; +import java.util.Locale; + +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateAlgorithmId; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a user-supplied signing algorithm + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class UserSigningAlgDefault extends EnrollDefault { + + public static final String VAL_ALG_ID = "userSigningAlgID"; + + public UserSigningAlgDefault() { + super(); + addValueName(VAL_ALG_ID); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_ALG_ID)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, null, + CMS.getUserMessage(locale, + "CMS_PROFILE_SIGNING_ALGORITHM")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + // this default rule is readonly + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_ALG_ID)) { + CertificateAlgorithmId algID = null; + + try { + algID = (CertificateAlgorithmId) + info.get(X509CertInfo.ALGORITHM_ID); + AlgorithmId id = (AlgorithmId) + algID.get(CertificateAlgorithmId.ALGORITHM); + + return id.toString(); + } catch (Exception e) { + CMS.debug("UserSigningAlgDefault: setValue " + e.toString()); + return ""; //XXX + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_SIGNING_ALGORITHM"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + CertificateAlgorithmId certAlg = null; + // authenticate the certificate key, and move + // the key from request into x509 certinfo + try { + byte[] certAlgData = request.getExtDataInByteArray( + IEnrollProfile.REQUEST_SIGNING_ALGORITHM); + if (certAlgData != null) { + certAlg = new CertificateAlgorithmId( + new ByteArrayInputStream(certAlgData)); + } + info.set(X509CertInfo.ALGORITHM_ID, certAlg); + } catch (Exception e) { + CMS.debug("UserSigningAlgDefault: populate " + e.toString()); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java new file mode 100644 index 000000000..65456e256 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java @@ -0,0 +1,143 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a user-supplied subject name + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class UserSubjectNameDefault extends EnrollDefault { + + public static final String VAL_NAME = "name"; + + public UserSubjectNameDefault() { + super(); + addValueName(VAL_NAME); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NAME)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + X500Name x500name = null; + + try { + x500name = new X500Name(value); + } catch (IOException e) { + CMS.debug(e.toString()); + // failed to build x500 name + } + CMS.debug("SubjectNameDefault: setValue name=" + x500name); + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(x500name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("UserSubjectNameDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + CertificateSubjectName sn = null; + + try { + sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + return sn.toString(); + } catch (Exception e) { + // nothing + } + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_SUBJECT_NAME"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + // authenticate the subject name and populate it + // to the certinfo + try { + info.set(X509CertInfo.SUBJECT, request.getExtDataInCertSubjectName( + IEnrollProfile.REQUEST_SUBJECT_NAME)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("UserSubjectNameDefault: populate " + e.toString()); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/UserValidityDefault.java b/base/common/src/com/netscape/cms/profile/def/UserValidityDefault.java new file mode 100644 index 000000000..3fadb81fd --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/UserValidityDefault.java @@ -0,0 +1,149 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.ByteArrayInputStream; +import java.util.Date; +import java.util.Locale; + +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a user-supplied validity + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class UserValidityDefault extends EnrollDefault { + + public static final String VAL_NOT_BEFORE = "userValdityNotBefore"; + public static final String VAL_NOT_AFTER = "userValdityNotAfter"; + + public UserValidityDefault() { + super(); + addValueName(VAL_NOT_BEFORE); + addValueName(VAL_NOT_AFTER); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NOT_BEFORE)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE")); + } else if (name.equals(VAL_NOT_AFTER)) { + return new Descriptor(IDescriptor.STRING, + IDescriptor.READONLY, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + // this default rule is readonly + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NOT_BEFORE)) { + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + Date notBefore = (Date) + validity.get(CertificateValidity.NOT_BEFORE); + + return notBefore.toString(); + } catch (Exception e) { + CMS.debug("UserValidityDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_NOT_AFTER)) { + try { + CertificateValidity validity = null; + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + Date notAfter = (Date) + validity.get(CertificateValidity.NOT_AFTER); + + return notAfter.toString(); + } catch (Exception e) { + CMS.debug("UserValidityDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_USER_VALIDITY"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + CertificateValidity certValidity = null; + // authenticate the certificate key, and move + // the key from request into x509 certinfo + try { + byte[] certValidityData = request.getExtDataInByteArray( + IEnrollProfile.REQUEST_VALIDITY); + if (certValidityData != null) { + certValidity = new CertificateValidity(); + certValidity.decode( + new ByteArrayInputStream(certValidityData)); + } + info.set(X509CertInfo.VALIDITY, certValidity); + } catch (Exception e) { + CMS.debug("UserValidityDefault: populate " + e.toString()); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java new file mode 100644 index 000000000..ad06400f3 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java @@ -0,0 +1,263 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.text.ParsePosition; +import java.text.SimpleDateFormat; +import java.util.Date; +import java.util.Locale; + +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a server-side configurable validity + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class ValidityDefault extends EnrollDefault { + public static final String CONFIG_RANGE = "range"; + public static final String CONFIG_START_TIME = "startTime"; + + public static final String VAL_NOT_BEFORE = "notBefore"; + public static final String VAL_NOT_AFTER = "notAfter"; + + public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss"; + + private long mDefault = 86400000; // 1 days + + public ValidityDefault() { + super(); + addConfigName(CONFIG_RANGE); + addConfigName(CONFIG_START_TIME); + addValueName(VAL_NOT_BEFORE); + addValueName(VAL_NOT_AFTER); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_RANGE)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + } else if (name.equals(CONFIG_START_TIME)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_START_TIME)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_RANGE)) { + return new Descriptor(IDescriptor.STRING, + null, + "2922", + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_RANGE")); + } else if (name.equals(CONFIG_START_TIME)) { + return new Descriptor(IDescriptor.STRING, + null, + "60", /* 1 minute */ + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_START_TIME")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NOT_BEFORE)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE")); + } else if (name.equals(VAL_NOT_AFTER)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (value == null || value.equals("")) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_BEFORE, + date); + } catch (Exception e) { + CMS.debug("ValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_AFTER, + date); + } catch (Exception e) { + CMS.debug("ValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + + if (name == null) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_BEFORE)); + } catch (Exception e) { + CMS.debug("ValidityDefault: getValue " + e.toString()); + } + throw new EPropertyException("Invalid valie"); + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_AFTER)); + } catch (Exception e) { + CMS.debug("ValidityDefault: getValue " + e.toString()); + } + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_VALIDITY", + getConfig(CONFIG_RANGE)); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + // always + 60 seconds + String startTimeStr = getConfig(CONFIG_START_TIME); + try { + startTimeStr = mapPattern(request, startTimeStr); + } catch (IOException e) { + CMS.debug("ValidityDefault: populate " + e.toString()); + } + + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } + int startTime = Integer.parseInt(startTimeStr); + Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); + long notAfterVal = 0; + + try { + String rangeStr = getConfig(CONFIG_RANGE); + rangeStr = mapPattern(request, rangeStr); + notAfterVal = notBefore.getTime() + + (mDefault * Integer.parseInt(rangeStr)); + } catch (Exception e) { + // configured value is not correct + CMS.debug("ValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + Date notAfter = new Date(notAfterVal); + CertificateValidity validity = + new CertificateValidity(notBefore, notAfter); + + try { + info.set(X509CertInfo.VALIDITY, validity); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("ValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", X509CertInfo.VALIDITY)); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/nsHKeySubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/nsHKeySubjectNameDefault.java new file mode 100644 index 000000000..6b5ab6bc0 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/nsHKeySubjectNameDefault.java @@ -0,0 +1,215 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates server-side configurable subject name + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class nsHKeySubjectNameDefault extends EnrollDefault { + + public static final String PROP_PARAMS = "params"; + public static final String CONFIG_DNPATTERN = "dnpattern"; + + public static final String VAL_NAME = "name"; + + /* default dn pattern if left blank or not set in the config */ + protected static String DEFAULT_DNPATTERN = + "CN=SecureMember - $request.tokencuid$, OU=Subscriber, O=Red Hat, C=US"; + + protected IConfigStore mParamsConfig; + + public nsHKeySubjectNameDefault() { + super(); + addConfigName(CONFIG_DNPATTERN); + + addValueName(CONFIG_DNPATTERN); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + CMS.debug("nsHKeySubjectNameDefault: in getConfigDescriptor, name=" + name); + if (name.equals(CONFIG_DNPATTERN)) { + return new Descriptor(IDescriptor.STRING, + null, null, CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + CMS.debug("nsHKeySubjectNameDefault: in getValueDescriptor name=" + name); + + if (name.equals(VAL_NAME)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + + CMS.debug("nsHKeySubjectNameDefault: in setValue, value=" + value); + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + X500Name x500name = null; + + try { + x500name = new X500Name(value); + } catch (IOException e) { + CMS.debug("nsHKeySubjectNameDefault: setValue " + e.toString()); + // failed to build x500 name + } + CMS.debug("nsHKeySubjectNameDefault: setValue name=" + x500name); + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(x500name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("nsHKeySubjectNameDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + CMS.debug("nsHKeySubjectNameDefault: in getValue, name=" + name); + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + CertificateSubjectName sn = null; + + try { + CMS.debug("nsHKeySubjectNameDefault: getValue info=" + info); + sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + CMS.debug("nsHKeySubjectNameDefault: getValue name=" + sn); + return sn.toString(); + } catch (Exception e) { + // nothing + CMS.debug("nsHKeySubjectNameDefault: getValue " + e.toString()); + + } + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + CMS.debug("nsHKeySubjectNameDefault: in getText"); + return CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME", + getConfig(CONFIG_DNPATTERN)); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + X500Name name = null; + CMS.debug("nsHKeySubjectNameDefault: in populate"); + + try { + String subjectName = getSubjectName(request); + CMS.debug("subjectName=" + subjectName); + if (subjectName == null || subjectName.equals("")) + return; + + name = new X500Name(subjectName); + } catch (IOException e) { + // failed to build x500 name + CMS.debug("nsHKeySubjectNameDefault: populate " + e.toString()); + } + if (name == null) { + // failed to build x500 name + } + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("nsHKeySubjectNameDefault: populate " + e.toString()); + } + } + + private String getSubjectName(IRequest request) + throws EProfileException, IOException { + + CMS.debug("nsHKeySubjectNameDefault: in getSubjectName"); + + String pattern = getConfig(CONFIG_DNPATTERN); + if (pattern == null || pattern.equals("")) { + pattern = " "; + } + + String sbjname = ""; + + if (request != null) { + CMS.debug("pattern = " + pattern); + sbjname = mapPattern(request, pattern); + CMS.debug("nsHKeySubjectNameDefault: getSubjectName(): subject name mapping done"); + } + + return sbjname; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/nsNKeySubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/nsNKeySubjectNameDefault.java new file mode 100644 index 000000000..cc1a8de81 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/nsNKeySubjectNameDefault.java @@ -0,0 +1,423 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +//ldap java sdk +import java.io.IOException; +import java.util.Locale; +import java.util.StringTokenizer; + +import netscape.ldap.LDAPAttribute; +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPEntry; +import netscape.ldap.LDAPSearchResults; +import netscape.ldap.LDAPv2; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ldap.ILdapConnFactory; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates server-side configurable subject name + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class nsNKeySubjectNameDefault extends EnrollDefault { + + public static final String PROP_LDAP = "ldap"; + public static final String PROP_PARAMS = "params"; + public static final String CONFIG_DNPATTERN = "dnpattern"; + public static final String CONFIG_LDAP_STRING_ATTRS = "ldapStringAttributes"; + public static final String CONFIG_LDAP_HOST = "ldap.ldapconn.host"; + public static final String CONFIG_LDAP_PORT = "ldap.ldapconn.port"; + public static final String CONFIG_LDAP_SEC_CONN = "ldap.ldapconn.secureConn"; + public static final String CONFIG_LDAP_VER = "ldap.ldapconn.Version"; + public static final String CONFIG_LDAP_BASEDN = "ldap.basedn"; + public static final String CONFIG_LDAP_MIN_CONN = "ldap.minConns"; + public static final String CONFIG_LDAP_MAX_CONN = "ldap.maxConns"; + + public static final String VAL_NAME = "name"; + + public static final String CONFIG_LDAP_VERS = + "2,3"; + + /* default dn pattern if left blank or not set in the config */ + protected static String DEFAULT_DNPATTERN = + "CN=$request.aoluid$, E=$request.mail$"; + + /* ldap configuration sub-store */ + boolean mInitialized = false; + protected IConfigStore mInstConfig; + protected IConfigStore mLdapConfig; + protected IConfigStore mParamsConfig; + + /* ldap base dn */ + protected String mBaseDN = null; + + /* factory of anonymous ldap connections */ + protected ILdapConnFactory mConnFactory = null; + + /* the list of LDAP attributes with string values to retrieve to + * form the subject dn. */ + protected String[] mLdapStringAttrs = null; + + public nsNKeySubjectNameDefault() { + super(); + addConfigName(CONFIG_DNPATTERN); + addConfigName(CONFIG_LDAP_STRING_ATTRS); + addConfigName(CONFIG_LDAP_HOST); + addConfigName(CONFIG_LDAP_PORT); + addConfigName(CONFIG_LDAP_SEC_CONN); + addConfigName(CONFIG_LDAP_VER); + addConfigName(CONFIG_LDAP_BASEDN); + addConfigName(CONFIG_LDAP_MIN_CONN); + addConfigName(CONFIG_LDAP_MAX_CONN); + + addValueName(CONFIG_DNPATTERN); + addValueName(CONFIG_LDAP_STRING_ATTRS); + addValueName(CONFIG_LDAP_HOST); + addValueName(CONFIG_LDAP_PORT); + addValueName(CONFIG_LDAP_SEC_CONN); + addValueName(CONFIG_LDAP_VER); + addValueName(CONFIG_LDAP_BASEDN); + addValueName(CONFIG_LDAP_MIN_CONN); + addValueName(CONFIG_LDAP_MAX_CONN); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + mInstConfig = config; + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + CMS.debug("nsNKeySubjectNameDefault: in getConfigDescriptor, name=" + name); + if (name.equals(CONFIG_DNPATTERN)) { + return new Descriptor(IDescriptor.STRING, + null, null, CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else if (name.equals(CONFIG_LDAP_STRING_ATTRS)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_LDAP_STRING_ATTRS")); + } else if (name.equals(CONFIG_LDAP_HOST)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_HOST_NAME")); + } else if (name.equals(CONFIG_LDAP_PORT)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_PORT_NUMBER")); + } else if (name.equals(CONFIG_LDAP_SEC_CONN)) { + return new Descriptor(IDescriptor.BOOLEAN, + null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_SECURE_CONN")); + } else if (name.equals(CONFIG_LDAP_VER)) { + return new Descriptor(IDescriptor.CHOICE, CONFIG_LDAP_VERS, + "3", + CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_LDAP_VERSION")); + } else if (name.equals(CONFIG_LDAP_BASEDN)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_BASEDN")); + } else if (name.equals(CONFIG_LDAP_MIN_CONN)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_LDAP_MIN_CONN")); + } else if (name.equals(CONFIG_LDAP_MAX_CONN)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_NSNKEY_LDAP_MAX_CONN")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + CMS.debug("nsNKeySubjectNameDefault: in getValueDescriptor name=" + name); + + if (name.equals(VAL_NAME)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + + CMS.debug("nsNKeySubjectNameDefault: in setValue, value=" + value); + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + X500Name x500name = null; + + try { + x500name = new X500Name(value); + } catch (IOException e) { + CMS.debug("nsNKeySubjectNameDefault: setValue " + e.toString()); + // failed to build x500 name + } + CMS.debug("nsNKeySubjectNameDefault: setValue name=" + x500name); + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(x500name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("nsNKeySubjectNameDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + CMS.debug("nsNKeySubjectNameDefault: in getValue, name=" + name); + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + CertificateSubjectName sn = null; + + try { + CMS.debug("nsNKeySubjectNameDefault: getValue info=" + info); + sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + CMS.debug("nsNKeySubjectNameDefault: getValue name=" + sn); + return sn.toString(); + } catch (Exception e) { + // nothing + CMS.debug("nsNKeySubjectNameDefault: getValue " + e.toString()); + + } + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + CMS.debug("nsNKeySubjectNameDefault: in getText"); + return CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME", + getConfig(CONFIG_DNPATTERN)); + } + + public void ldapInit() + throws EProfileException { + if (mInitialized == true) + return; + + CMS.debug("nsNKeySubjectNameDefault: ldapInit(): begin"); + + try { + // cfu - XXX do more error handling here later + /* initialize ldap server configuration */ + mParamsConfig = mInstConfig.getSubStore(PROP_PARAMS); + mLdapConfig = mParamsConfig.getSubStore(PROP_LDAP); + mBaseDN = mParamsConfig.getString(CONFIG_LDAP_BASEDN, null); + mConnFactory = CMS.getLdapAnonConnFactory(); + mConnFactory.init(mLdapConfig); + + /* initialize dn pattern */ + String pattern = mParamsConfig.getString(CONFIG_DNPATTERN, null); + + if (pattern == null || pattern.length() == 0) + pattern = DEFAULT_DNPATTERN; + + /* initialize ldap string attribute list */ + String ldapStringAttrs = mParamsConfig.getString(CONFIG_LDAP_STRING_ATTRS, null); + + if ((ldapStringAttrs != null) && (ldapStringAttrs.length() != 0)) { + StringTokenizer pAttrs = + new StringTokenizer(ldapStringAttrs, ",", false); + + mLdapStringAttrs = new String[pAttrs.countTokens()]; + + for (int i = 0; i < mLdapStringAttrs.length; i++) { + mLdapStringAttrs[i] = ((String) pAttrs.nextElement()).trim(); + } + } + CMS.debug("nsNKeySubjectNameDefault: ldapInit(): done"); + mInitialized = true; + } catch (Exception e) { + CMS.debug("nsNKeySubjectNameDefault: ldapInit(): " + e.toString()); + // throw EProfileException... + throw new EProfileException("ldap init failure: " + e.toString()); + } + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + X500Name name = null; + CMS.debug("nsNKeySubjectNameDefault: in populate"); + ldapInit(); + try { + // cfu - this goes to ldap + String subjectName = getSubjectName(request); + CMS.debug("subjectName=" + subjectName); + if (subjectName == null || subjectName.equals("")) + return; + + name = new X500Name(subjectName); + } catch (IOException e) { + // failed to build x500 name + CMS.debug("nsNKeySubjectNameDefault: populate " + e.toString()); + } + if (name == null) { + // failed to build x500 name + } + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("nsNKeySubjectNameDefault: populate " + e.toString()); + } + } + + private String getSubjectName(IRequest request) + throws EProfileException, IOException { + + CMS.debug("nsNKeySubjectNameDefault: in getSubjectName"); + + String pattern = getConfig(CONFIG_DNPATTERN); + if (pattern == null || pattern.equals("")) { + pattern = " "; + } + + LDAPConnection conn = null; + String userdn = null; + String sbjname = ""; + // get DN from ldap to fill request + try { + if (mConnFactory == null) { + conn = null; + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): no LDAP connection"); + throw new EProfileException("no LDAP connection"); + } else { + conn = mConnFactory.getConn(); + if (conn == null) { + CMS.debug("nsNKeySubjectNameDefault::getSubjectName() - " + + "no LDAP connection"); + throw new EProfileException("no LDAP connection"); + } + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): got LDAP connection"); + } + + if (request != null) { + CMS.debug("pattern = " + pattern); + sbjname = mapPattern(request, pattern); + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): subject name mapping done"); + } else { + CMS.debug("nsNKeySubjectNameDefault::getSubjectName() - " + + "request is null!"); + throw new EProfileException("request is null"); + } + // retrieve the attributes + // get user dn. + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): about to search with basedn = " + mBaseDN); + LDAPSearchResults res = conn.search(mBaseDN, + LDAPv2.SCOPE_SUB, "(aoluid=" + request.getExtDataInString("aoluid") + ")", null, false); + + if (res.hasMoreElements()) { + LDAPEntry entry = res.next(); + + userdn = entry.getDN(); + } else {// put into property file later - cfu + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): screen name does not exist"); + throw new EProfileException("screenname does not exist"); + } + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): retrieved entry for aoluid = " + + request.getExtDataInString("aoluid")); + ; + + LDAPEntry entry = null; + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): about to search with " + + mLdapStringAttrs.length + " attributes"); + LDAPSearchResults results = + conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*", + mLdapStringAttrs, false); + + if (!results.hasMoreElements()) { + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): no attributes"); + throw new EProfileException("no ldap attributes found"); + } + entry = results.next(); + // set attrs into request + for (int i = 0; i < mLdapStringAttrs.length; i++) { + LDAPAttribute la = + entry.getAttribute(mLdapStringAttrs[i]); + if (la != null) { + String[] sla = la.getStringValueArray(); + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): got attribute: " + sla[0]); + request.setExtData(mLdapStringAttrs[i], sla[0]); + } + } + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): attributes set in request"); + } catch (Exception e) { + CMS.debug("nsNKeySubjectNameDefault: getSubjectName(): " + e.toString()); + throw new EProfileException("getSubjectName() failure: " + e.toString()); + } finally { + try { + if (conn != null) + mConnFactory.returnConn(conn); + } catch (Exception e) { + throw new EProfileException("nsNKeySubjectNameDefault: getSubjectName(): connection return failure"); + } + } + return sbjname; + + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/nsTokenDeviceKeySubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/nsTokenDeviceKeySubjectNameDefault.java new file mode 100644 index 000000000..77fa417f6 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/nsTokenDeviceKeySubjectNameDefault.java @@ -0,0 +1,215 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.util.Locale; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates server-side configurable subject name + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class nsTokenDeviceKeySubjectNameDefault extends EnrollDefault { + + public static final String PROP_PARAMS = "params"; + public static final String CONFIG_DNPATTERN = "dnpattern"; + + public static final String VAL_NAME = "name"; + + /* default dn pattern if left blank or not set in the config */ + protected static String DEFAULT_DNPATTERN = + "Token Key Device - $request.tokencuid$"; + + protected IConfigStore mParamsConfig; + + public nsTokenDeviceKeySubjectNameDefault() { + super(); + addConfigName(CONFIG_DNPATTERN); + + addValueName(CONFIG_DNPATTERN); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getConfigDescriptor, name=" + name); + if (name.equals(CONFIG_DNPATTERN)) { + return new Descriptor(IDescriptor.STRING, + null, null, CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getValueDescriptor name=" + name); + + if (name.equals(VAL_NAME)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + + CMS.debug("nsTokenDeviceKeySubjectNameDefault: in setValue, value=" + value); + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + X500Name x500name = null; + + try { + x500name = new X500Name(value); + } catch (IOException e) { + CMS.debug("nsTokenDeviceKeySubjectNameDefault: setValue " + e.toString()); + // failed to build x500 name + } + CMS.debug("nsTokenDeviceKeySubjectNameDefault: setValue name=" + x500name); + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(x500name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("nsTokenDeviceKeySubjectNameDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getValue, name=" + name); + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + CertificateSubjectName sn = null; + + try { + CMS.debug("nsTokenDeviceKeySubjectNameDefault: getValue info=" + info); + sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + CMS.debug("nsTokenDeviceKeySubjectNameDefault: getValue name=" + sn); + return sn.toString(); + } catch (Exception e) { + // nothing + CMS.debug("nsTokenDeviceKeySubjectNameDefault: getValue " + e.toString()); + + } + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getText"); + return CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME", + getConfig(CONFIG_DNPATTERN)); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + X500Name name = null; + CMS.debug("nsTokenDeviceKeySubjectNameDefault: in populate"); + + try { + String subjectName = getSubjectName(request); + CMS.debug("subjectName=" + subjectName); + if (subjectName == null || subjectName.equals("")) + return; + + name = new X500Name(subjectName); + } catch (IOException e) { + // failed to build x500 name + CMS.debug("nsTokenDeviceKeySubjectNameDefault: populate " + e.toString()); + } + if (name == null) { + // failed to build x500 name + } + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("nsTokenDeviceKeySubjectNameDefault: populate " + e.toString()); + } + } + + private String getSubjectName(IRequest request) + throws EProfileException, IOException { + + CMS.debug("nsTokenDeviceKeySubjectNameDefault: in getSubjectName"); + + String pattern = getConfig(CONFIG_DNPATTERN); + if (pattern == null || pattern.equals("")) { + pattern = " "; + } + + String sbjname = ""; + + if (request != null) { + CMS.debug("pattern = " + pattern); + sbjname = mapPattern(request, pattern); + CMS.debug("nsTokenDeviceKeySubjectNameDefault: getSubjectName(): subject name mapping done"); + } + + return sbjname; + } +} diff --git a/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java b/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java new file mode 100644 index 000000000..65adabfad --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java @@ -0,0 +1,456 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +//ldap java sdk +import java.io.IOException; +import java.util.Locale; +import java.util.StringTokenizer; + +import netscape.ldap.LDAPAttribute; +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPEntry; +import netscape.ldap.LDAPSearchResults; +import netscape.ldap.LDAPv2; +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ldap.ILdapConnFactory; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates server-side configurable subject name + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class nsTokenUserKeySubjectNameDefault extends EnrollDefault { + + public static final String PROP_LDAP = "ldap"; + public static final String PROP_PARAMS = "params"; + public static final String CONFIG_DNPATTERN = "dnpattern"; + public static final String CONFIG_LDAP_ENABLE = "ldap.enable"; + public static final String CONFIG_LDAP_SEARCH_NAME = "ldap.searchName"; + public static final String CONFIG_LDAP_STRING_ATTRS = "ldapStringAttributes"; + public static final String CONFIG_LDAP_HOST = "ldap.ldapconn.host"; + public static final String CONFIG_LDAP_PORT = "ldap.ldapconn.port"; + public static final String CONFIG_LDAP_SEC_CONN = "ldap.ldapconn.secureConn"; + public static final String CONFIG_LDAP_VER = "ldap.ldapconn.Version"; + public static final String CONFIG_LDAP_BASEDN = "ldap.basedn"; + public static final String CONFIG_LDAP_MIN_CONN = "ldap.minConns"; + public static final String CONFIG_LDAP_MAX_CONN = "ldap.maxConns"; + + public static final String VAL_NAME = "name"; + + public static final String CONFIG_LDAP_VERS = + "2,3"; + + /* default dn pattern if left blank or not set in the config */ + protected static String DEFAULT_DNPATTERN = + "CN=$request.uid$, E=$request.mail$"; + + /* ldap configuration sub-store */ + boolean mldapInitialized = false; + boolean mldapEnabled = false; + protected IConfigStore mInstConfig; + protected IConfigStore mLdapConfig; + protected IConfigStore mParamsConfig; + + /* ldap base dn */ + protected String mBaseDN = null; + + /* factory of anonymous ldap connections */ + protected ILdapConnFactory mConnFactory = null; + + /* the list of LDAP attributes with string values to retrieve to + * form the subject dn. */ + protected String[] mLdapStringAttrs = null; + + public nsTokenUserKeySubjectNameDefault() { + super(); + addConfigName(CONFIG_DNPATTERN); + addConfigName(CONFIG_LDAP_ENABLE); + addConfigName(CONFIG_LDAP_SEARCH_NAME); + addConfigName(CONFIG_LDAP_STRING_ATTRS); + addConfigName(CONFIG_LDAP_HOST); + addConfigName(CONFIG_LDAP_PORT); + addConfigName(CONFIG_LDAP_SEC_CONN); + addConfigName(CONFIG_LDAP_VER); + addConfigName(CONFIG_LDAP_BASEDN); + addConfigName(CONFIG_LDAP_MIN_CONN); + addConfigName(CONFIG_LDAP_MAX_CONN); + + addValueName(CONFIG_DNPATTERN); + addValueName(CONFIG_LDAP_ENABLE); + addValueName(CONFIG_LDAP_SEARCH_NAME); + addValueName(CONFIG_LDAP_STRING_ATTRS); + addValueName(CONFIG_LDAP_HOST); + addValueName(CONFIG_LDAP_PORT); + addValueName(CONFIG_LDAP_SEC_CONN); + addValueName(CONFIG_LDAP_VER); + addValueName(CONFIG_LDAP_BASEDN); + addValueName(CONFIG_LDAP_MIN_CONN); + addValueName(CONFIG_LDAP_MAX_CONN); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + mInstConfig = config; + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + CMS.debug("nsTokenUserKeySubjectNameDefault: in getConfigDescriptor, name=" + name); + if (name.equals(CONFIG_DNPATTERN)) { + return new Descriptor(IDescriptor.STRING, + null, null, CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else if (name.equals(CONFIG_LDAP_STRING_ATTRS)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_STRING_ATTRS")); + } else if (name.equals(CONFIG_LDAP_ENABLE)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_ENABLE")); + } else if (name.equals(CONFIG_LDAP_SEARCH_NAME)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_SEARCH_NAME")); + } else if (name.equals(CONFIG_LDAP_HOST)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_HOST_NAME")); + } else if (name.equals(CONFIG_LDAP_PORT)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_PORT_NUMBER")); + } else if (name.equals(CONFIG_LDAP_SEC_CONN)) { + return new Descriptor(IDescriptor.BOOLEAN, + null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_SECURE_CONN")); + } else if (name.equals(CONFIG_LDAP_VER)) { + return new Descriptor(IDescriptor.CHOICE, CONFIG_LDAP_VERS, + "3", + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_VERSION")); + } else if (name.equals(CONFIG_LDAP_BASEDN)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_BASEDN")); + } else if (name.equals(CONFIG_LDAP_MIN_CONN)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_MIN_CONN")); + } else if (name.equals(CONFIG_LDAP_MAX_CONN)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_TOKENKEY_LDAP_MAX_CONN")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + CMS.debug("nsTokenUserKeySubjectNameDefault: in getValueDescriptor name=" + name); + + if (name.equals(VAL_NAME)) { + return new Descriptor(IDescriptor.STRING, + null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_SUBJECT_NAME")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + + CMS.debug("nsTokenUserKeySubjectNameDefault: in setValue, value=" + value); + + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + X500Name x500name = null; + + try { + x500name = new X500Name(value); + } catch (IOException e) { + CMS.debug("nsTokenUserKeySubjectNameDefault: setValue " + e.toString()); + // failed to build x500 name + } + CMS.debug("nsTokenUserKeySubjectNameDefault: setValue name=" + x500name); + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(x500name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("nsTokenUserKeySubjectNameDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + CMS.debug("nsTokenUserKeySubjectNameDefault: in getValue, name=" + name); + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NAME)) { + CertificateSubjectName sn = null; + + try { + CMS.debug("nsTokenUserKeySubjectNameDefault: getValue info=" + info); + sn = (CertificateSubjectName) + info.get(X509CertInfo.SUBJECT); + CMS.debug("nsTokenUserKeySubjectNameDefault: getValue name=" + sn); + return sn.toString(); + } catch (Exception e) { + // nothing + CMS.debug("nsTokenUserKeySubjectNameDefault: getValue " + e.toString()); + + } + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getText(Locale locale) { + CMS.debug("nsTokenUserKeySubjectNameDefault: in getText"); + return CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME", + getConfig(CONFIG_DNPATTERN)); + } + + public void ldapInit() + throws EProfileException { + if (mldapInitialized == true) + return; + + CMS.debug("nsTokenUserKeySubjectNameDefault: ldapInit(): begin"); + + try { + // cfu - XXX do more error handling here later + /* initialize ldap server configuration */ + mParamsConfig = mInstConfig.getSubStore(PROP_PARAMS); + mLdapConfig = mParamsConfig.getSubStore(PROP_LDAP); + mldapEnabled = mParamsConfig.getBoolean(CONFIG_LDAP_ENABLE, + false); + if (mldapEnabled == false) + return; + + mBaseDN = mParamsConfig.getString(CONFIG_LDAP_BASEDN, null); + mConnFactory = CMS.getLdapAnonConnFactory(); + mConnFactory.init(mLdapConfig); + + /* initialize dn pattern */ + String pattern = mParamsConfig.getString(CONFIG_DNPATTERN, null); + + if (pattern == null || pattern.length() == 0) + pattern = DEFAULT_DNPATTERN; + + /* initialize ldap string attribute list */ + String ldapStringAttrs = mParamsConfig.getString(CONFIG_LDAP_STRING_ATTRS, null); + + if ((ldapStringAttrs != null) && (ldapStringAttrs.length() != 0)) { + StringTokenizer pAttrs = + new StringTokenizer(ldapStringAttrs, ",", false); + + mLdapStringAttrs = new String[pAttrs.countTokens()]; + + for (int i = 0; i < mLdapStringAttrs.length; i++) { + mLdapStringAttrs[i] = ((String) pAttrs.nextElement()).trim(); + } + } + CMS.debug("nsTokenUserKeySubjectNameDefault: ldapInit(): done"); + mldapInitialized = true; + } catch (Exception e) { + CMS.debug("nsTokenUserKeySubjectNameDefault: ldapInit(): " + e.toString()); + // throw EProfileException... + throw new EProfileException("ldap init failure: " + e.toString()); + } + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + X500Name name = null; + CMS.debug("nsTokenUserKeySubjectNameDefault: in populate"); + ldapInit(); + try { + // cfu - this goes to ldap + String subjectName = getSubjectName(request); + CMS.debug("subjectName=" + subjectName); + if (subjectName == null || subjectName.equals("")) + return; + + name = new X500Name(subjectName); + } catch (IOException e) { + // failed to build x500 name + CMS.debug("nsTokenUserKeySubjectNameDefault: populate " + e.toString()); + } + if (name == null) { + // failed to build x500 name + } + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(name)); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("nsTokenUserKeySubjectNameDefault: populate " + e.toString()); + } + } + + private String getSubjectName(IRequest request) + throws EProfileException, IOException { + + CMS.debug("nsTokenUserKeySubjectNameDefault: in getSubjectName"); + + String pattern = getConfig(CONFIG_DNPATTERN); + if (pattern == null || pattern.equals("")) { + pattern = " "; + } + String sbjname = ""; + + if (mldapInitialized == false) { + if (request != null) { + CMS.debug("pattern = " + pattern); + sbjname = mapPattern(request, pattern); + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): subject name mapping done"); + } + return sbjname; + } + + // ldap is initialized, do more substitution + String searchName = getConfig(CONFIG_LDAP_SEARCH_NAME); + if (searchName == null || searchName.equals("")) { + searchName = "uid"; + } + + LDAPConnection conn = null; + String userdn = null; + // get DN from ldap to fill request + try { + if (mConnFactory == null) { + conn = null; + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): no LDAP connection"); + throw new EProfileException("no LDAP connection"); + } else { + conn = mConnFactory.getConn(); + if (conn == null) { + CMS.debug("nsTokenUserKeySubjectNameDefault::getSubjectName() - " + + "no LDAP connection"); + throw new EProfileException("no LDAP connection"); + } + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): got LDAP connection"); + } + // retrieve the attributes + // get user dn. + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): about to search with basedn = " + mBaseDN); + LDAPSearchResults res = conn.search(mBaseDN, + LDAPv2.SCOPE_SUB, "(" + searchName + "=" + request.getExtDataInString("uid") + ")", null, false); + + if (res.hasMoreElements()) { + LDAPEntry entry = res.next(); + + userdn = entry.getDN(); + } else {// put into property file later - cfu + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): " + searchName + " does not exist"); + throw new EProfileException("id does not exist"); + } + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): retrieved entry for " + + searchName + " = " + request.getExtDataInString("uid")); + + LDAPEntry entry = null; + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): about to search with " + + mLdapStringAttrs.length + " attributes"); + LDAPSearchResults results = + conn.search(userdn, LDAPv2.SCOPE_BASE, "objectclass=*", + mLdapStringAttrs, false); + + if (!results.hasMoreElements()) { + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): no attributes"); + throw new EProfileException("no ldap attributes found"); + } + entry = results.next(); + // set attrs into request + for (int i = 0; i < mLdapStringAttrs.length; i++) { + LDAPAttribute la = + entry.getAttribute(mLdapStringAttrs[i]); + if (la != null) { + String[] sla = la.getStringValueArray(); + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): got attribute: " + + mLdapStringAttrs[i] + + "=" + escapeValueRfc1779(sla[0], false).toString()); + request.setExtData(mLdapStringAttrs[i], escapeValueRfc1779(sla[0], false).toString()); + } + } + CMS.debug("pattern = " + pattern); + sbjname = mapPattern(request, pattern); + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): subject name mapping done"); + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): attributes set in request"); + + } catch (Exception e) { + CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): " + e.toString()); + throw new EProfileException("getSubjectName() failure: " + e.toString()); + } finally { + try { + if (conn != null) + mConnFactory.returnConn(conn); + } catch (Exception e) { + throw new EProfileException( + "nsTokenUserKeySubjectNameDefault: getSubjectName(): connection return failure"); + } + } + return sbjname; + + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java b/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java new file mode 100644 index 000000000..77d4b1ce0 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java @@ -0,0 +1,122 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.pkix.cmc.TaggedRequest; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the certificate request input. + * This input populates 2 main fields to the enrollment page: + * 1/ Certificate Request Type, 2/ Certificate Request + *

+ * + * This input usually is used by an enrollment profile for certificate requests. + * + * @version $Revision$, $Date$ + */ +public class CMCCertReqInput extends EnrollInput implements IProfileInput { + public static final String VAL_CERT_REQUEST_TYPE = + EnrollProfile.CTX_CERT_REQUEST_TYPE; + public static final String VAL_CERT_REQUEST = + EnrollProfile.CTX_CERT_REQUEST; + + public EnrollProfile mEnrollProfile = null; + + public CMCCertReqInput() { + addValueName(VAL_CERT_REQUEST); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_CERT_REQ_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_CERT_REQ_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String cert_request = ctx.get(VAL_CERT_REQUEST); + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); + + if (msgs == null) { + return; + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + if (seqNum == null) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_SEQ_NUM")); + } + + mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request); + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CERT_REQUEST)) { + return new Descriptor(IDescriptor.CERT_REQUEST, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_INPUT_CERT_REQ")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/CertReqInput.java b/base/common/src/com/netscape/cms/profile/input/CertReqInput.java new file mode 100644 index 000000000..0b7e9f071 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/CertReqInput.java @@ -0,0 +1,185 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import netscape.security.pkcs.PKCS10; +import netscape.security.util.DerInputStream; +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.pkix.cmc.TaggedRequest; +import org.mozilla.jss.pkix.crmf.CertReqMsg; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the certificate request input. + * This input populates 2 main fields to the enrollment page: + * 1/ Certificate Request Type, 2/ Certificate Request + *

+ * + * This input usually is used by an enrollment profile for certificate requests. + * + * @version $Revision$, $Date$ + */ +public class CertReqInput extends EnrollInput implements IProfileInput { + public static final String VAL_CERT_REQUEST_TYPE = + EnrollProfile.CTX_CERT_REQUEST_TYPE; + public static final String VAL_CERT_REQUEST = + EnrollProfile.CTX_CERT_REQUEST; + + public EnrollProfile mEnrollProfile = null; + + public CertReqInput() { + addValueName(VAL_CERT_REQUEST_TYPE); + addValueName(VAL_CERT_REQUEST); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_CERT_REQ_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_CERT_REQ_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String cert_request_type = ctx.get(VAL_CERT_REQUEST_TYPE); + String cert_request = ctx.get(VAL_CERT_REQUEST); + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (cert_request_type == null) { + CMS.debug("CertReqInput: populate - invalid cert request type " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + "")); + } + + if (cert_request_type.equals(EnrollProfile.REQ_TYPE_PKCS10)) { + PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), cert_request); + + if (pkcs10 == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request); + } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) { + DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), cert_request); + + if (keygen == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request); + } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) { + CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), cert_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + for (int x = 0; x < msgs.length; x++) { + verifyPOP(getLocale(request), msgs[x]); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request + ); + } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) { + TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + if (seqNum == null) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_SEQ_NUM")); + } + + mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request); + } else { + // error + CMS.debug("CertReqInput: populate - invalid cert request type " + + cert_request_type); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + cert_request_type)); + } + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_CERT_REQUEST_TYPE)) { + return new Descriptor(IDescriptor.CERT_REQUEST_TYPE, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_INPUT_CERT_REQ_TYPE")); + } else if (name.equals(VAL_CERT_REQUEST)) { + return new Descriptor(IDescriptor.CERT_REQUEST, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_INPUT_CERT_REQ")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/DualKeyGenInput.java b/base/common/src/com/netscape/cms/profile/input/DualKeyGenInput.java new file mode 100644 index 000000000..18b9ecf52 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/DualKeyGenInput.java @@ -0,0 +1,163 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import netscape.security.pkcs.PKCS10; +import netscape.security.util.DerInputStream; +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.pkix.crmf.CertReqMsg; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the dual key generation input. + * This input populates parameters to the enrollment + * pages so that a CRMF request containing 2 certificate + * requests will be generated. + *

+ * + * This input can only be used with Netscape 7.x or later clients. + *

+ * + * @version $Revision$, $Date$ + */ +public class DualKeyGenInput extends EnrollInput implements IProfileInput { + + public static final String VAL_KEYGEN_REQUEST_TYPE = + EnrollProfile.CTX_CERT_REQUEST_TYPE; + public static final String VAL_KEYGEN_REQUEST = + EnrollProfile.CTX_CERT_REQUEST; + + public EnrollProfile mEnrollProfile = null; + + public DualKeyGenInput() { + addValueName(VAL_KEYGEN_REQUEST_TYPE); + addValueName(VAL_KEYGEN_REQUEST); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_DUAL_KEY_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_DUAL_KEY_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE); + String keygen_request = ctx.get(VAL_KEYGEN_REQUEST); + + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (keygen_request_type == null) { + CMS.debug("DualKeyGenInput: populate - invalid cert request type " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + "")); + } + if (keygen_request_type.startsWith("pkcs10")) { + PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request); + + mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request); + } else if (keygen_request_type.startsWith("keygen")) { + DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request); + + mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request); + } else if (keygen_request_type.startsWith("crmf")) { + CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + for (int x = 0; x < msgs.length; x++) { + verifyPOP(getLocale(request), msgs[x]); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + if (seqNum == null) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_SEQ_NUM")); + } + + mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request); + } else { + // error + CMS.debug("DualKeyGenInput: populate - " + + "invalid cert request type " + keygen_request_type); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + keygen_request_type)); + } + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) { + return new Descriptor(IDescriptor.DUAL_KEYGEN_REQUEST_TYPE, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE")); + } else if (name.equals(VAL_KEYGEN_REQUEST)) { + return new Descriptor(IDescriptor.DUAL_KEYGEN_REQUEST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java b/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java new file mode 100644 index 000000000..d59629f78 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/EncryptionKeyGenInput.java @@ -0,0 +1,184 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import netscape.security.pkcs.PKCS10; +import netscape.security.util.DerInputStream; +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.pkix.cmc.TaggedRequest; +import org.mozilla.jss.pkix.crmf.CertReqMsg; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the key generation input that + * populates parameters to the enrollment page for + * key generation. + *

+ * + * This input normally is used with user-based or non certificate request profile. + *

+ * + * @version $Revision$, $Date$ + */ +public class EncryptionKeyGenInput extends EnrollInput implements IProfileInput { + + public static final String VAL_KEYGEN_REQUEST_TYPE = + EnrollProfile.CTX_CERT_REQUEST_TYPE; + public static final String VAL_KEYGEN_REQUEST = + EnrollProfile.CTX_CERT_REQUEST; + + public EnrollProfile mEnrollProfile = null; + + public EncryptionKeyGenInput() { + addValueName(VAL_KEYGEN_REQUEST_TYPE); + addValueName(VAL_KEYGEN_REQUEST); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_ENC_KEY_GEN_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_ENC_KEY_GEN_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE); + String keygen_request = ctx.get(VAL_KEYGEN_REQUEST); + + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (keygen_request_type == null) { + CMS.debug("EncryptionKeyGenInput: populate - invalid cert request type " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + "")); + } + if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_PKCS10)) { + PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request); + + if (pkcs10 == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) { + DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request); + + if (keygen == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) { + CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + for (int x = 0; x < msgs.length; x++) { + verifyPOP(getLocale(request), msgs[x]); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) { + TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + if (seqNum == null) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_SEQ_NUM")); + } + + mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request); + } else { + // error + CMS.debug("EncryptionKeyGenInput: populate - " + + "invalid cert request type " + keygen_request_type); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + keygen_request_type)); + } + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) { + return new Descriptor(IDescriptor.ENC_KEYGEN_REQUEST_TYPE, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE")); + } else if (name.equals(VAL_KEYGEN_REQUEST)) { + return new Descriptor(IDescriptor.ENC_KEYGEN_REQUEST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/EnrollInput.java b/base/common/src/com/netscape/cms/profile/input/EnrollInput.java new file mode 100644 index 000000000..c4269ba7d --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/EnrollInput.java @@ -0,0 +1,303 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.pkix.crmf.CertReqMsg; +import org.mozilla.jss.pkix.crmf.ProofOfPossession; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the base enrollment input. + * + * @version $Revision$, $Date$ + */ +public abstract class EnrollInput implements IProfileInput { + + private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION = + "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2"; + + protected IConfigStore mConfig = null; + protected Vector mValueNames = new Vector(); + protected Vector mConfigNames = new Vector(); + protected IProfile mProfile = null; + + protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + mConfig = config; + mProfile = profile; + } + + public IConfigStore getConfigStore() { + return mConfig; + } + + /** + * Populates the request with this policy default. + * + * @param ctx profile context + * @param request request + * @exception EProfileException failed to populate + */ + public abstract void populate(IProfileContext ctx, IRequest request) + throws EProfileException; + + /** + * Retrieves the localizable name of this policy. + * + * @param locale user locale + * @return localized input name + */ + public abstract String getName(Locale locale); + + /** + * Retrieves the localizable description of this policy. + * + * @param locale user locale + * @return localized input description + */ + public abstract String getText(Locale locale); + + /** + * Retrieves the descriptor of the given value + * property by name. + * + * @param locale user locale + * @param name property name + * @return descriptor of the property + */ + public abstract IDescriptor getValueDescriptor(Locale locale, String name); + + public void addValueName(String name) { + mValueNames.addElement(name); + } + + /** + * Retrieves a list of names of the value parameter. + */ + public Enumeration getValueNames() { + return mValueNames.elements(); + } + + public void addConfigName(String name) { + mConfigNames.addElement(name); + } + + public Enumeration getConfigNames() { + return mConfigNames.elements(); + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (mConfig.getSubStore("params") == null) { + // + } else { + mConfig.getSubStore("params").putString(name, value); + } + } + + public String getConfig(String name) { + try { + if (mConfig == null) { + return null; + } + if (mConfig.getSubStore("params") != null) { + return mConfig.getSubStore("params").getString(name); + } + } catch (EBaseException e) { + } + return ""; + } + + public String getDefaultConfig(String name) { + return null; + } + + public String getValue(String name, Locale locale, IRequest request) + throws EProfileException { + return request.getExtDataInString(name); + } + + /** + * Sets the value of the given value parameter by name. + */ + public void setValue(String name, Locale locale, IRequest request, + String value) throws EPropertyException { + request.setExtData(name, value); + } + + public Locale getLocale(IRequest request) { + Locale locale = null; + String language = request.getExtDataInString( + EnrollProfile.REQUEST_LOCALE); + if (language != null) { + locale = new Locale(language); + } + return locale; + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + public void verifyPOP(Locale locale, CertReqMsg certReqMsg) + throws EProfileException { + CMS.debug("EnrollInput ::in verifyPOP"); + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + if (!certReqMsg.hasPop()) { + CMS.debug("CertReqMsg has not POP, return"); + return; + } + ProofOfPossession pop = certReqMsg.getPop(); + ProofOfPossession.Type popType = pop.getType(); + + if (popType != ProofOfPossession.SIGNATURE) { + CMS.debug("not POP SIGNATURE, return"); + return; + } + + try { + if (CMS.getConfigStore().getBoolean("cms.skipPOPVerify", false)) { + CMS.debug("skipPOPVerify on, return"); + return; + } + CMS.debug("POP verification begins:"); + CryptoManager cm = CryptoManager.getInstance(); + + CryptoToken verifyToken = null; + String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", "internal"); + if (tokenName.equals("internal")) { + CMS.debug("POP verification using internal token"); + certReqMsg.verify(); + } else { + CMS.debug("POP verification using token:" + tokenName); + verifyToken = cm.getTokenByName(tokenName); + certReqMsg.verify(verifyToken); + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.SUCCESS); + audit(auditMessage); + } catch (Exception e) { + + CMS.debug("Failed POP verify! " + e.toString()); + CMS.debug(e); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION, + auditSubjectID, + ILogger.FAILURE); + + audit(auditMessage); + + throw new EProfileException(CMS.getUserMessage(locale, + "CMS_POP_VERIFICATION_ERROR")); + } + } + + /** + * Signed Audit Log + * + * This method is inherited by all extended "CMSServlet"s, + * and is called to store messages to the signed audit log. + *

+ * + * @param msg signed audit log message + */ + protected void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + /** + * Signed Audit Log Subject ID + * + * This method is inherited by all extended "CMSServlet"s, + * and is called to obtain the "SubjectID" for + * a signed audit log message. + *

+ * + * @return id string containing the signed audit log message SubjectID + */ + protected String auditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/FileSigningInput.java b/base/common/src/com/netscape/cms/profile/input/FileSigningInput.java new file mode 100644 index 000000000..357488186 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/FileSigningInput.java @@ -0,0 +1,143 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.io.BufferedInputStream; +import java.net.URL; +import java.net.URLConnection; +import java.security.MessageDigest; +import java.util.Locale; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements the image + * input that collects a picture. + *

+ * + * @version $Revision$, $Date$ + */ +public class FileSigningInput extends EnrollInput implements IProfileInput { + + public static final String URL = "file_signing_url"; + public static final String TEXT = "file_signing_text"; + public static final String SIZE = "file_signing_size"; + public static final String DIGEST = "file_signing_digest"; + public static final String DIGEST_TYPE = "file_signing_digest_type"; + + public FileSigningInput() { + addValueName(URL); + addValueName(TEXT); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_FILE_SIGNING_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_FILE_SIGNING_TEXT"); + } + + public String toHexString(byte data[]) { + StringBuffer sb = new StringBuffer(); + for (int i = 0; i < data.length; i++) { + int v = data[i] & 0xff; + if (v < 16) { + sb.append("0"); + } + sb.append(Integer.toHexString(v)); + } + return sb.toString(); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + request.setExtData(TEXT, ctx.get(TEXT)); + request.setExtData(URL, ctx.get(URL)); + request.setExtData(DIGEST_TYPE, "SHA256"); + + try { + // retrieve file and calculate the hash + URL url = new URL(ctx.get(URL)); + URLConnection c = url.openConnection(); + c.setAllowUserInteraction(false); + c.setDoInput(true); + c.setDoOutput(false); + c.setUseCaches(false); + c.connect(); + int len = c.getContentLength(); + request.setExtData(SIZE, Integer.toString(len)); + BufferedInputStream is = new BufferedInputStream(c.getInputStream()); + byte data[] = new byte[len]; + is.read(data, 0, len); + is.close(); + + // calculate digest + MessageDigest digester = MessageDigest.getInstance("SHA256"); + byte digest[] = digester.digest(data); + request.setExtData(DIGEST, toHexString(digest)); + } catch (Exception e) { + CMS.debug("FileSigningInput populate failure " + e); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_FILE_NOT_FOUND")); + } + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(URL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_FILE_SIGNING_URL")); + } else if (name.equals(TEXT)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_FILE_SIGNING_TEXT")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/GenericInput.java b/base/common/src/com/netscape/cms/profile/input/GenericInput.java new file mode 100644 index 000000000..e8edfaa6d --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/GenericInput.java @@ -0,0 +1,160 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements a generic input. + *

+ * + * @version $Revision$, $Date$ + */ +public class GenericInput extends EnrollInput implements IProfileInput { + + public static final String CONFIG_NUM = "gi_num"; + public static final String CONFIG_DISPLAY_NAME = "gi_display_name"; + public static final String CONFIG_PARAM_NAME = "gi_param_name"; + public static final String CONFIG_ENABLE = "gi_param_enable"; + + public static final int DEF_NUM = 5; + + public GenericInput() { + int num = getNum(); + for (int i = 0; i < num; i++) { + addConfigName(CONFIG_PARAM_NAME + i); + addConfigName(CONFIG_DISPLAY_NAME + i); + addConfigName(CONFIG_ENABLE + i); + } + } + + protected int getNum() { + int num = DEF_NUM; + String numC = getConfig(CONFIG_NUM); + + if (numC != null) { + try { + num = Integer.parseInt(numC); + } catch (NumberFormatException e) { + // ignore + } + } + return num; + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_GENERIC_NAME_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_GENERIC_NAME_TEXT"); + } + + /** + * Returns selected value names based on the configuration. + */ + public Enumeration getValueNames() { + Vector v = new Vector(); + int num = getNum(); + for (int i = 0; i < num; i++) { + String enable = getConfig(CONFIG_ENABLE + i); + if (enable != null && enable.equals("true")) { + v.addElement(getConfig(CONFIG_PARAM_NAME + i)); + } + } + return v.elements(); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + int num = getNum(); + for (int i = 0; i < num; i++) { + String enable = getConfig(CONFIG_ENABLE + i); + if (enable != null && enable.equals("true")) { + String param = getConfig(CONFIG_PARAM_NAME + i); + request.setExtData(param, ctx.get(param)); + } + } + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + int num = getNum(); + for (int i = 0; i < num; i++) { + if (name.equals(CONFIG_PARAM_NAME + i)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_GI_PARAM_NAME") + i); + } else if (name.equals(CONFIG_DISPLAY_NAME + i)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_GI_DISPLAY_NAME") + i); + } else if (name.equals(CONFIG_ENABLE + i)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_GI_ENABLE") + i); + } + } // for + return null; + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + int num = getNum(); + for (int i = 0; i < num; i++) { + String param = getConfig(CONFIG_PARAM_NAME + i); + if (param != null && param.equals(name)) { + return new Descriptor(IDescriptor.STRING, null, + null, + getConfig(CONFIG_DISPLAY_NAME + i)); + } + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/ImageInput.java b/base/common/src/com/netscape/cms/profile/input/ImageInput.java new file mode 100644 index 000000000..30570b56c --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/ImageInput.java @@ -0,0 +1,89 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements the image + * input that collects a picture. + *

+ * + * @version $Revision$, $Date$ + */ +public class ImageInput extends EnrollInput implements IProfileInput { + + public static final String IMAGE_URL = "image_url"; + + public ImageInput() { + addValueName(IMAGE_URL); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IMAGE_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IMAGE_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + request.setExtData(IMAGE_URL, ctx.get(IMAGE_URL)); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(IMAGE_URL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IMAGE_URL")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/KeyGenInput.java b/base/common/src/com/netscape/cms/profile/input/KeyGenInput.java new file mode 100644 index 000000000..c2b3cf0d5 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/KeyGenInput.java @@ -0,0 +1,184 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import netscape.security.pkcs.PKCS10; +import netscape.security.util.DerInputStream; +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.pkix.cmc.TaggedRequest; +import org.mozilla.jss.pkix.crmf.CertReqMsg; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the key generation input that + * populates parameters to the enrollment page for + * key generation. + *

+ * + * This input normally is used with user-based or non certificate request profile. + *

+ * + * @version $Revision$, $Date$ + */ +public class KeyGenInput extends EnrollInput implements IProfileInput { + + public static final String VAL_KEYGEN_REQUEST_TYPE = + EnrollProfile.CTX_CERT_REQUEST_TYPE; + public static final String VAL_KEYGEN_REQUEST = + EnrollProfile.CTX_CERT_REQUEST; + + public EnrollProfile mEnrollProfile = null; + + public KeyGenInput() { + addValueName(VAL_KEYGEN_REQUEST_TYPE); + addValueName(VAL_KEYGEN_REQUEST); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEY_GEN_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEY_GEN_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE); + String keygen_request = ctx.get(VAL_KEYGEN_REQUEST); + + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (keygen_request_type == null) { + CMS.debug("KeyGenInput: populate - invalid cert request type " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + "")); + } + if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_PKCS10)) { + PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request); + + if (pkcs10 == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) { + DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request); + + if (keygen == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) { + CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + for (int x = 0; x < msgs.length; x++) { + verifyPOP(getLocale(request), msgs[x]); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) { + TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + if (seqNum == null) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_SEQ_NUM")); + } + + mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request); + } else { + // error + CMS.debug("DualKeyGenInput: populate - " + + "invalid cert request type " + keygen_request_type); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + keygen_request_type)); + } + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) { + return new Descriptor(IDescriptor.KEYGEN_REQUEST_TYPE, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE")); + } else if (name.equals(VAL_KEYGEN_REQUEST)) { + return new Descriptor(IDescriptor.KEYGEN_REQUEST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java b/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java new file mode 100644 index 000000000..542a2c940 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java @@ -0,0 +1,89 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements the serial number input + * for renewal + *

+ * + * @author Christina Fu + */ +public class SerialNumRenewInput extends EnrollInput implements IProfileInput { + + public static final String SERIAL_NUM = "serial_num"; + + public SerialNumRenewInput() { + addValueName(SERIAL_NUM); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SERIAL_NUM_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SERIAL_NUM_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + // + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(SERIAL_NUM)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SERIAL_NUM_NAME")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java b/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java new file mode 100644 index 000000000..aa471d4f6 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/SigningKeyGenInput.java @@ -0,0 +1,184 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import netscape.security.pkcs.PKCS10; +import netscape.security.util.DerInputStream; +import netscape.security.x509.X509CertInfo; + +import org.mozilla.jss.pkix.cmc.TaggedRequest; +import org.mozilla.jss.pkix.crmf.CertReqMsg; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the key generation input that + * populates parameters to the enrollment page for + * key generation. + *

+ * + * This input normally is used with user-based or non certificate request profile. + *

+ * + * @version $Revision$, $Date$ + */ +public class SigningKeyGenInput extends EnrollInput implements IProfileInput { + + public static final String VAL_KEYGEN_REQUEST_TYPE = + EnrollProfile.CTX_CERT_REQUEST_TYPE; + public static final String VAL_KEYGEN_REQUEST = + EnrollProfile.CTX_CERT_REQUEST; + + public EnrollProfile mEnrollProfile = null; + + public SigningKeyGenInput() { + addValueName(VAL_KEYGEN_REQUEST_TYPE); + addValueName(VAL_KEYGEN_REQUEST); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SIGN_KEY_GEN_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SIGN_KEY_GEN_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String keygen_request_type = ctx.get(VAL_KEYGEN_REQUEST_TYPE); + String keygen_request = ctx.get(VAL_KEYGEN_REQUEST); + + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (keygen_request_type == null) { + CMS.debug("SigningKeyGenInput: populate - invalid cert request type " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + "")); + } + if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_PKCS10)) { + PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), keygen_request); + + if (pkcs10 == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) { + DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), keygen_request); + + if (keygen == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + + mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) { + CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + for (int x = 0; x < msgs.length; x++) { + verifyPOP(getLocale(request), msgs[x]); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request); + } else if (keygen_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) { + TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), keygen_request); + + if (msgs == null) { + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_PROFILE_NO_CERT_REQ")); + } + // This profile only handle the first request in CRMF + Integer seqNum = request.getExtDataInInteger(EnrollProfile.REQUEST_SEQ_NUM); + + if (seqNum == null) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_UNKNOWN_SEQ_NUM")); + } + + mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request); + } else { + // error + CMS.debug("SigningKeyGenInput: populate - " + + "invalid cert request type " + keygen_request_type); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_UNKNOWN_CERT_REQ_TYPE", + keygen_request_type)); + } + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_KEYGEN_REQUEST_TYPE)) { + return new Descriptor(IDescriptor.SIGN_KEYGEN_REQUEST_TYPE, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ_TYPE")); + } else if (name.equals(VAL_KEYGEN_REQUEST)) { + return new Descriptor(IDescriptor.SIGN_KEYGEN_REQUEST, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_KEYGEN_REQ")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/SubjectDNInput.java b/base/common/src/com/netscape/cms/profile/input/SubjectDNInput.java new file mode 100644 index 000000000..a12351f8a --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/SubjectDNInput.java @@ -0,0 +1,142 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This plugin accepts subject DN from end user. + */ +public class SubjectDNInput extends EnrollInput implements IProfileInput { + + public static final String VAL_SUBJECT = "subject"; + + public SubjectDNInput() { + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_NAME_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_NAME_TEXT"); + } + + public String getConfig(String name) { + String config = super.getConfig(name); + if (config == null || config.equals("")) + return "true"; + return config; + } + + /** + * Returns selected value names based on the configuration. + */ + public Enumeration getValueNames() { + Vector v = new Vector(); + v.addElement(VAL_SUBJECT); + return v.elements(); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + String subjectName = ""; + + subjectName = ctx.get(VAL_SUBJECT); + if (subjectName.equals("")) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + } + X500Name name = null; + + try { + name = new X500Name(subjectName); + } catch (Exception e) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_INVALID_SUBJECT_NAME", subjectName)); + } + parseSubjectName(name, info, request); + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_SUBJECT)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME")); + } + return null; + } + + protected void parseSubjectName(X500Name subj, X509CertInfo info, IRequest req) + throws EProfileException { + try { + req.setExtData(EnrollProfile.REQUEST_SUBJECT_NAME, + new CertificateSubjectName(subj)); + } catch (Exception e) { + CMS.debug("SubjectNameInput: parseSubject Name " + + e.toString()); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/SubjectNameInput.java b/base/common/src/com/netscape/cms/profile/input/SubjectNameInput.java new file mode 100644 index 000000000..db70da666 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/SubjectNameInput.java @@ -0,0 +1,382 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.security.x509.CertificateSubjectName; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the subject name input + * that populates text fields to the enrollment + * page so that distinguished name parameters + * can be collected from the user. + *

+ * The collected parameters could be used for fomulating the subject name in the certificate. + *

+ * + * @version $Revision$, $Date$ + */ +public class SubjectNameInput extends EnrollInput implements IProfileInput { + + public static final String CONFIG_UID = "sn_uid"; + public static final String CONFIG_EMAIL = "sn_e"; + public static final String CONFIG_CN = "sn_cn"; + public static final String CONFIG_OU3 = "sn_ou3"; + public static final String CONFIG_OU2 = "sn_ou2"; + public static final String CONFIG_OU1 = "sn_ou1"; + public static final String CONFIG_OU = "sn_ou"; + public static final String CONFIG_O = "sn_o"; + public static final String CONFIG_C = "sn_c"; + + public static final String VAL_UID = "sn_uid"; + public static final String VAL_EMAIL = "sn_e"; + public static final String VAL_CN = "sn_cn"; + public static final String VAL_OU3 = "sn_ou3"; + public static final String VAL_OU2 = "sn_ou2"; + public static final String VAL_OU1 = "sn_ou1"; + public static final String VAL_OU = "sn_ou"; + public static final String VAL_O = "sn_o"; + public static final String VAL_C = "sn_c"; + + public SubjectNameInput() { + addConfigName(CONFIG_UID); + addConfigName(CONFIG_EMAIL); + addConfigName(CONFIG_CN); + addConfigName(CONFIG_OU3); + addConfigName(CONFIG_OU2); + addConfigName(CONFIG_OU1); + addConfigName(CONFIG_OU); + addConfigName(CONFIG_O); + addConfigName(CONFIG_C); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_NAME_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_NAME_TEXT"); + } + + public String getConfig(String name) { + String config = super.getConfig(name); + if (config == null || config.equals("")) + return "true"; + return config; + } + + /** + * Returns selected value names based on the configuration. + */ + public Enumeration getValueNames() { + Vector v = new Vector(); + String c_uid = getConfig(CONFIG_UID); + if (c_uid == null || c_uid.equals("")) { + v.addElement(VAL_UID); // default case + } else { + if (c_uid.equals("true")) { + v.addElement(VAL_UID); + } + } + String c_email = getConfig(CONFIG_EMAIL); + if (c_email == null || c_email.equals("")) { + v.addElement(VAL_EMAIL); + } else { + if (c_email.equals("true")) { + v.addElement(VAL_EMAIL); + } + } + String c_cn = getConfig(CONFIG_CN); + if (c_cn == null || c_cn.equals("")) { + v.addElement(VAL_CN); + } else { + if (c_cn.equals("true")) { + v.addElement(VAL_CN); + } + } + String c_ou3 = getConfig(CONFIG_OU3); + if (c_ou3 == null || c_ou3.equals("")) { + v.addElement(VAL_OU3); + } else { + if (c_ou3.equals("true")) { + v.addElement(VAL_OU3); + } + } + String c_ou2 = getConfig(CONFIG_OU2); + if (c_ou2 == null || c_ou2.equals("")) { + v.addElement(VAL_OU2); + } else { + if (c_ou2.equals("true")) { + v.addElement(VAL_OU2); + } + } + String c_ou1 = getConfig(CONFIG_OU1); + if (c_ou1 == null || c_ou1.equals("")) { + v.addElement(VAL_OU1); + } else { + if (c_ou1.equals("true")) { + v.addElement(VAL_OU1); + } + } + String c_ou = getConfig(CONFIG_OU); + if (c_ou == null || c_ou.equals("")) { + v.addElement(VAL_OU); + } else { + if (c_ou.equals("true")) { + v.addElement(VAL_OU); + } + } + String c_o = getConfig(CONFIG_O); + if (c_o == null || c_o.equals("")) { + v.addElement(VAL_O); + } else { + if (c_o.equals("true")) { + v.addElement(VAL_O); + } + } + String c_c = getConfig(CONFIG_C); + if (c_c == null || c_c.equals("")) { + v.addElement(VAL_C); + } else { + if (c_c.equals("true")) { + v.addElement(VAL_C); + } + } + return v.elements(); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + String subjectName = ""; + + String uid = ctx.get(VAL_UID); + + if (uid != null && !uid.equals("")) { + subjectName += "UID=" + uid; + } + String email = ctx.get(VAL_EMAIL); + + if (email != null && !email.equals("")) { + if (!subjectName.equals("")) { + subjectName += ","; + } + subjectName += "E=" + email; + } + String cn = ctx.get(VAL_CN); + + if (cn != null && !cn.equals("")) { + if (!subjectName.equals("")) { + subjectName += ","; + } + subjectName += "CN=" + cn; + } + String ou3 = ctx.get(VAL_OU3); + if (ou3 != null && !ou3.equals("")) { + if (!subjectName.equals("")) { + subjectName += ","; + } + subjectName += "OU=" + ou3; + } + String ou2 = ctx.get(VAL_OU2); + if (ou2 != null && !ou2.equals("")) { + if (!subjectName.equals("")) { + subjectName += ","; + } + subjectName += "OU=" + ou2; + } + String ou1 = ctx.get(VAL_OU1); + if (ou1 != null && !ou1.equals("")) { + if (!subjectName.equals("")) { + subjectName += ","; + } + subjectName += "OU=" + ou1; + } + String ou = ctx.get(VAL_OU); + if (ou != null && !ou.equals("")) { + if (!subjectName.equals("")) { + subjectName += ","; + } + subjectName += "OU=" + ou; + } + String o = ctx.get(VAL_O); + + if (o != null && !o.equals("")) { + if (!subjectName.equals("")) { + subjectName += ","; + } + subjectName += "O=" + o; + } + String c = ctx.get(VAL_C); + + if (c != null && !c.equals("")) { + if (!subjectName.equals("")) { + subjectName += ","; + } + subjectName += "C=" + c; + } + if (subjectName.equals("")) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); + } + X500Name name = null; + + try { + name = new X500Name(subjectName); + } catch (Exception e) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_INVALID_SUBJECT_NAME", subjectName)); + } + parseSubjectName(name, info, request); + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_UID)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_SN_UID")); + } else if (name.equals(CONFIG_EMAIL)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_SN_UID")); + } else if (name.equals(CONFIG_CN)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_SN_CN")); + } else if (name.equals(CONFIG_OU3)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU")); + } else if (name.equals(CONFIG_OU2)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU")); + } else if (name.equals(CONFIG_OU1)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU")); + } else if (name.equals(CONFIG_OU)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU")); + } else if (name.equals(CONFIG_O)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_SN_O")); + } else if (name.equals(CONFIG_C)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "true", + CMS.getUserMessage(locale, "CMS_PROFILE_SN_C")); + } else { + return null; + } + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_UID)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SN_UID")); + } else if (name.equals(VAL_EMAIL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SN_EMAIL")); + } else if (name.equals(VAL_CN)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SN_CN")); + } else if (name.equals(VAL_OU3)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU") + " 3"); + } else if (name.equals(VAL_OU2)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU") + " 2"); + } else if (name.equals(VAL_OU1)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU") + " 1"); + } else if (name.equals(VAL_OU)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SN_OU")); + } else if (name.equals(VAL_O)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SN_O")); + } else if (name.equals(VAL_C)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_SN_C")); + } + return null; + } + + protected void parseSubjectName(X500Name subj, X509CertInfo info, IRequest req) + throws EProfileException { + try { + req.setExtData(EnrollProfile.REQUEST_SUBJECT_NAME, + new CertificateSubjectName(subj)); + } catch (Exception e) { + CMS.debug("SubjectNameInput: parseSubject Name " + + e.toString()); + } + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/SubmitterInfoInput.java b/base/common/src/com/netscape/cms/profile/input/SubmitterInfoInput.java new file mode 100644 index 000000000..984706f42 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/SubmitterInfoInput.java @@ -0,0 +1,102 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements the submitter information + * input that collects certificate requestor's + * information such as name, email and phone. + *

+ * + * @version $Revision$, $Date$ + */ +public class SubmitterInfoInput extends EnrollInput implements IProfileInput { + + public static final String NAME = "requestor_name"; + public static final String EMAIL = "requestor_email"; + public static final String PHONE = "requestor_phone"; + + public SubmitterInfoInput() { + addValueName(NAME); + addValueName(EMAIL); + addValueName(PHONE); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBMITTER_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBMITTER_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + // + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(NAME)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REQUESTOR_NAME")); + } else if (name.equals(EMAIL)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REQUESTOR_EMAIL")); + } else if (name.equals(PHONE)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REQUESTOR_PHONE")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/nsHKeyCertReqInput.java b/base/common/src/com/netscape/cms/profile/input/nsHKeyCertReqInput.java new file mode 100644 index 000000000..3c6067891 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/nsHKeyCertReqInput.java @@ -0,0 +1,160 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the certificate request input from TPS. + * This input populates 2 main fields to the enrollment "page": + * 1/ token cuid, 2/ publickey + *

+ * + * This input usually is used by an enrollment profile for certificate requests coming from TPS. + * + * @version $Revision$, $Date$ + */ +public class nsHKeyCertReqInput extends EnrollInput implements IProfileInput { + public static final String VAL_TOKEN_CUID = "tokencuid"; + public static final String VAL_PUBLIC_KEY = "publickey"; + + public EnrollProfile mEnrollProfile = null; + + public nsHKeyCertReqInput() { + addValueName(VAL_TOKEN_CUID); + addValueName(VAL_PUBLIC_KEY); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_TEXT"); + } + + /* + * Pretty print token cuid + */ + public String toPrettyPrint(String cuid) { + if (cuid == null) + return null; + + if (cuid.length() != 20) + return null; + + StringBuffer sb = new StringBuffer(); + for (int i = 0; i < cuid.length(); i++) { + if (i == 4 || i == 8 || i == 12 || i == 16) { + sb.append("-"); + } + sb.append(cuid.charAt(i)); + } + return sb.toString(); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String tcuid = ctx.get(VAL_TOKEN_CUID); + // pretty print tcuid + String prettyPrintCuid = toPrettyPrint(tcuid); + if (prettyPrintCuid == null) { + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_TOKENKEY_NO_TOKENCUID", + "")); + } + + request.setExtData("pretty_print_tokencuid", prettyPrintCuid); + + String pk = ctx.get(VAL_PUBLIC_KEY); + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (tcuid == null) { + CMS.debug("nsHKeyCertReqInput: populate - tokencuid not found " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_TOKENKEY_NO_TOKENCUID", + "")); + } + if (pk == null) { + CMS.debug("nsHKeyCertReqInput: populate - public key not found " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_TOKENKEY_NO_PUBLIC_KEY", + "")); + } + + mEnrollProfile.fillNSHKEY(getLocale(request), tcuid, pk, info, request); + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_TOKEN_CUID)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_TOKEN_CUID")); + } else if (name.equals(VAL_PUBLIC_KEY)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_PK")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/input/nsNKeyCertReqInput.java b/base/common/src/com/netscape/cms/profile/input/nsNKeyCertReqInput.java new file mode 100644 index 000000000..196798683 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/input/nsNKeyCertReqInput.java @@ -0,0 +1,129 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.Locale; + +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileInput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the certificate request input from TPS. + * This input populates 2 main fields to the enrollment "page": + * 1/ id, 2/ publickey + *

+ * + * This input usually is used by an enrollment profile for certificate requests coming from TPS. + * + * @version $Revision$, $Date$ + */ +public class nsNKeyCertReqInput extends EnrollInput implements IProfileInput { + public static final String VAL_SN = "screenname"; + public static final String VAL_PUBLIC_KEY = "publickey"; + + public EnrollProfile mEnrollProfile = null; + + public nsNKeyCertReqInput() { + addValueName(VAL_SN); + addValueName(VAL_PUBLIC_KEY); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + + mEnrollProfile = (EnrollProfile) profile; + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + String sn = ctx.get(VAL_SN); + String pk = ctx.get(VAL_PUBLIC_KEY); + X509CertInfo info = + request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO); + + if (sn == null) { + CMS.debug("nsNKeyCertReqInput: populate - id not found " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_TOKENKEY_NO_ID", + "")); + } + if (pk == null) { + CMS.debug("nsNKeyCertReqInput: populate - public key not found " + + ""); + throw new EProfileException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_TOKENKEY_NO_PUBLIC_KEY", + "")); + } + + mEnrollProfile.fillNSNKEY(getLocale(request), sn, pk, info, request); + request.setExtData(EnrollProfile.REQUEST_CERTINFO, info); + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_SN)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_UID")); + } else if (name.equals(VAL_PUBLIC_KEY)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_INPUT_TOKENKEY_CERT_REQ_PK")); + } + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/output/CMMFOutput.java b/base/common/src/com/netscape/cms/profile/output/CMMFOutput.java new file mode 100644 index 000000000..2253460b1 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/output/CMMFOutput.java @@ -0,0 +1,161 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.output; + +import java.io.ByteArrayOutputStream; +import java.security.cert.X509Certificate; +import java.util.Locale; + +import netscape.security.x509.CertificateChain; +import netscape.security.x509.X509CertImpl; + +import org.mozilla.jss.asn1.INTEGER; +import org.mozilla.jss.pkix.cmmf.CertOrEncCert; +import org.mozilla.jss.pkix.cmmf.CertRepContent; +import org.mozilla.jss.pkix.cmmf.CertResponse; +import org.mozilla.jss.pkix.cmmf.CertifiedKeyPair; +import org.mozilla.jss.pkix.cmmf.PKIStatusInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.ICertPrettyPrint; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileOutput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the output plugin that outputs + * CMMF response for the issued certificate. + * + * @version $Revision$, $Date$ + */ +public class CMMFOutput extends EnrollOutput implements IProfileOutput { + + public static final String VAL_PRETTY_CERT = "pretty_cert"; + public static final String VAL_CMMF_RESPONSE = "cmmf_response"; + + public CMMFOutput() { + addValueName(VAL_PRETTY_CERT); + addValueName(VAL_CMMF_RESPONSE); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_PRETTY_CERT)) { + return new Descriptor(IDescriptor.PRETTY_PRINT, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_OUTPUT_CERT_PP")); + } else if (name.equals(VAL_CMMF_RESPONSE)) { + return new Descriptor(IDescriptor.PRETTY_PRINT, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_OUTPUT_CMMF_B64")); + } + return null; + } + + public String getValue(String name, Locale locale, IRequest request) + throws EProfileException { + if (name.equals(VAL_PRETTY_CERT)) { + X509CertImpl cert = request.getExtDataInCert( + EnrollProfile.REQUEST_ISSUED_CERT); + ICertPrettyPrint prettyCert = CMS.getCertPrettyPrint(cert); + + return prettyCert.toString(locale); + } else if (name.equals(VAL_CMMF_RESPONSE)) { + try { + X509CertImpl cert = request.getExtDataInCert( + EnrollProfile.REQUEST_ISSUED_CERT); + if (cert == null) + return null; + + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem("ca"); + CertificateChain cachain = ca.getCACertChain(); + X509Certificate[] cacerts = cachain.getChain(); + + byte[][] caPubs = new byte[cacerts.length][]; + + for (int j = 0; j < cacerts.length; j++) { + caPubs[j] = ((X509CertImpl) cacerts[j]).getEncoded(); + } + + CertRepContent certRepContent = null; + certRepContent = new CertRepContent(caPubs); + + PKIStatusInfo status = new PKIStatusInfo(PKIStatusInfo.granted); + CertifiedKeyPair certifiedKP = + new CertifiedKeyPair(new CertOrEncCert(cert.getEncoded())); + CertResponse resp = + new CertResponse(new INTEGER(request.getRequestId().toString()), + status, certifiedKP); + certRepContent.addCertResponse(resp); + + ByteArrayOutputStream certRepOut = new ByteArrayOutputStream(); + certRepContent.encode(certRepOut); + byte[] certRepBytes = certRepOut.toByteArray(); + + return CMS.BtoA(certRepBytes); + } catch (Exception e) { + return null; + } + } else { + return null; + } + } + +} diff --git a/base/common/src/com/netscape/cms/profile/output/CertOutput.java b/base/common/src/com/netscape/cms/profile/output/CertOutput.java new file mode 100644 index 000000000..1293c055c --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/output/CertOutput.java @@ -0,0 +1,120 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.output; + +import java.util.Locale; + +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.ICertPrettyPrint; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileOutput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the pretty print certificate output + * that displays the issued certificate in a pretty print format. + * + * @version $Revision$, $Date$ + */ +public class CertOutput extends EnrollOutput implements IProfileOutput { + public static final String VAL_PRETTY_CERT = "pretty_cert"; + public static final String VAL_B64_CERT = "b64_cert"; + + public CertOutput() { + addValueName(VAL_PRETTY_CERT); + addValueName(VAL_B64_CERT); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_PRETTY_CERT)) { + return new Descriptor(IDescriptor.PRETTY_PRINT, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_OUTPUT_CERT_PP")); + } else if (name.equals(VAL_B64_CERT)) { + return new Descriptor(IDescriptor.PRETTY_PRINT, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_OUTPUT_CERT_B64")); + } + return null; + } + + public String getValue(String name, Locale locale, IRequest request) + throws EProfileException { + if (name.equals(VAL_PRETTY_CERT)) { + X509CertImpl cert = request.getExtDataInCert( + EnrollProfile.REQUEST_ISSUED_CERT); + if (cert == null) + return null; + ICertPrettyPrint prettyCert = CMS.getCertPrettyPrint(cert); + + return prettyCert.toString(locale); + } else if (name.equals(VAL_B64_CERT)) { + X509CertImpl cert = request.getExtDataInCert( + EnrollProfile.REQUEST_ISSUED_CERT); + if (cert == null) + return null; + return CMS.getEncodedCert(cert); + } else { + return null; + } + } + +} diff --git a/base/common/src/com/netscape/cms/profile/output/EnrollOutput.java b/base/common/src/com/netscape/cms/profile/output/EnrollOutput.java new file mode 100644 index 000000000..25a4b4908 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/output/EnrollOutput.java @@ -0,0 +1,134 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.output; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileOutput; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements the basic enrollment output. + * + * @version $Revision$, $Date$ + */ +public abstract class EnrollOutput implements IProfileOutput { + private IConfigStore mConfig = null; + private Vector mValueNames = new Vector(); + protected Vector mConfigNames = new Vector(); + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + mConfig = config; + } + + public IConfigStore getConfigStore() { + return mConfig; + } + + public void addValueName(String name) { + mValueNames.addElement(name); + } + + /** + * Populates the request with this policy default. + * + * @param ctx profile context + * @param request request + * @exception EProfileException failed to populate + */ + public abstract void populate(IProfileContext ctx, IRequest request) + throws EProfileException; + + /** + * Retrieves the descriptor of the given value + * parameter by name. + * + * @param locale user locale + * @param name property name + * @return property descriptor + */ + public abstract IDescriptor getValueDescriptor(Locale locale, String name); + + /** + * Retrieves the localizable name of this policy. + * + * @param locale user locale + * @return output policy name + */ + public abstract String getName(Locale locale); + + /** + * Retrieves the localizable description of this policy. + * + * @param locale user locale + * @return output policy description + */ + public abstract String getText(Locale locale); + + /** + * Retrieves a list of names of the value parameter. + */ + public Enumeration getValueNames() { + return mValueNames.elements(); + } + + public String getValue(String name, Locale locale, IRequest request) + throws EProfileException { + return request.getExtDataInString(name); + } + + /** + * Sets the value of the given value parameter by name. + */ + public void setValue(String name, Locale locale, IRequest request, + String value) throws EPropertyException { + request.setExtData(name, value); + } + + public Enumeration getConfigNames() { + return mConfigNames.elements(); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + public void setConfig(String name, String value) + throws EPropertyException { + } + + public String getConfig(String name) { + return null; + } + + public String getDefaultConfig(String name) { + return null; + } +} diff --git a/base/common/src/com/netscape/cms/profile/output/PKCS7Output.java b/base/common/src/com/netscape/cms/profile/output/PKCS7Output.java new file mode 100644 index 000000000..0e01e15dd --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/output/PKCS7Output.java @@ -0,0 +1,158 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.output; + +import java.io.ByteArrayOutputStream; +import java.security.cert.X509Certificate; +import java.util.Locale; + +import netscape.security.pkcs.ContentInfo; +import netscape.security.pkcs.PKCS7; +import netscape.security.pkcs.SignerInfo; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateChain; +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.ICertPrettyPrint; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileOutput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the output plugin that outputs + * PKCS7 for the issued certificate. + * + * @version $Revision$, $Date$ + */ +public class PKCS7Output extends EnrollOutput implements IProfileOutput { + + public static final String VAL_PRETTY_CERT = "pretty_cert"; + public static final String VAL_PKCS7 = "pkcs7"; + + public PKCS7Output() { + addValueName(VAL_PRETTY_CERT); + addValueName(VAL_PKCS7); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_PRETTY_CERT)) { + return new Descriptor(IDescriptor.PRETTY_PRINT, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_OUTPUT_CERT_PP")); + } else if (name.equals(VAL_PKCS7)) { + return new Descriptor(IDescriptor.PRETTY_PRINT, null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_OUTPUT_PKCS7_B64")); + } + return null; + } + + public String getValue(String name, Locale locale, IRequest request) + throws EProfileException { + if (name.equals(VAL_PRETTY_CERT)) { + X509CertImpl cert = request.getExtDataInCert( + EnrollProfile.REQUEST_ISSUED_CERT); + if (cert == null) + return null; + ICertPrettyPrint prettyCert = CMS.getCertPrettyPrint(cert); + + return prettyCert.toString(locale); + } else if (name.equals(VAL_PKCS7)) { + + try { + X509CertImpl cert = request.getExtDataInCert( + EnrollProfile.REQUEST_ISSUED_CERT); + if (cert == null) + return null; + + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem("ca"); + CertificateChain cachain = ca.getCACertChain(); + X509Certificate[] cacerts = cachain.getChain(); + + X509CertImpl[] userChain = new X509CertImpl[cacerts.length + 1]; + int m = 1, n = 0; + + for (; n < cacerts.length; m++, n++) { + userChain[m] = (X509CertImpl) cacerts[n]; + } + + userChain[0] = cert; + PKCS7 p7 = new PKCS7(new AlgorithmId[0], + new ContentInfo(new byte[0]), + userChain, + new SignerInfo[0]); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + + p7.encodeSignedData(bos); + byte[] p7Bytes = bos.toByteArray(); + String p7Str = CMS.BtoA(p7Bytes); + + return p7Str; + } catch (Exception e) { + return ""; + } + } else { + return null; + } + } + +} diff --git a/base/common/src/com/netscape/cms/profile/output/nsNKeyOutput.java b/base/common/src/com/netscape/cms/profile/output/nsNKeyOutput.java new file mode 100644 index 000000000..6bf03f436 --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/output/nsNKeyOutput.java @@ -0,0 +1,110 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.output; + +import java.util.Locale; + +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileContext; +import com.netscape.certsrv.profile.IProfileOutput; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This class implements the output plugin that outputs + * DER for the issued certificate for token keys + * + * @version $Revision$, $Date$ + */ +public class nsNKeyOutput extends EnrollOutput implements IProfileOutput { + + public static final String VAL_DER = "der"; + + public nsNKeyOutput() { + addValueName(VAL_DER); + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TOKENKEY_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_OUTPUT_CERT_TOKENKEY_TEXT"); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_DER)) { + return new Descriptor("der_b64", null, + null, + CMS.getUserMessage(locale, + "CMS_PROFILE_OUTPUT_DER_B64")); + } + return null; + } + + public String getValue(String name, Locale locale, IRequest request) + throws EProfileException { + if (name.equals(VAL_DER)) { + + try { + X509CertImpl cert = request.getExtDataInCert( + EnrollProfile.REQUEST_ISSUED_CERT); + if (cert == null) + return null; + return CMS.BtoA(cert.getEncoded()); + } catch (Exception e) { + return ""; + } + } else { + return null; + } + } + +} diff --git a/base/common/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/common/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java new file mode 100644 index 000000000..52c87113d --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java @@ -0,0 +1,321 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.updater; + +import java.util.Enumeration; +import java.util.Locale; +import java.util.Vector; + +import netscape.ldap.LDAPException; +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IEnrollProfile; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileUpdater; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.RequestStatus; +import com.netscape.certsrv.usrgrp.IGroup; +import com.netscape.certsrv.usrgrp.IUGSubsystem; +import com.netscape.certsrv.usrgrp.IUser; +import com.netscape.cms.profile.common.EnrollProfile; + +/** + * This updater class will create the new user to the subsystem group and + * then add the subsystem certificate to the user. + * + * @version $Revision$, $Date$ + */ +public class SubsystemGroupUpdater implements IProfileUpdater { + + private IProfile mProfile = null; + private EnrollProfile mEnrollProfile = null; + private IConfigStore mConfig = null; + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private Vector mConfigNames = new Vector(); + private Vector mValueNames = new Vector(); + + private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = + "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; + private final static String SIGNED_AUDIT_PASSWORD_VALUE = "********"; + private final static String SIGNED_AUDIT_EMPTY_NAME_VALUE_PAIR = "Unknown"; + private final static String SIGNED_AUDIT_NAME_VALUE_DELIMITER = ";;"; + private final static String SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER = "+"; + + public SubsystemGroupUpdater() { + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + mConfig = config; + mProfile = profile; + mEnrollProfile = (EnrollProfile) profile; + } + + public Enumeration getConfigNames() { + return mConfigNames.elements(); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + return null; + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (mConfig.getSubStore("params") == null) { + // + } else { + mConfig.getSubStore("params").putString(name, value); + } + } + + public String getConfig(String name) { + try { + if (mConfig == null) { + return null; + } + if (mConfig.getSubStore("params") != null) { + return mConfig.getSubStore("params").getString(name); + } + } catch (EBaseException e) { + } + return ""; + } + + public IConfigStore getConfigStore() { + return mConfig; + } + + public void update(IRequest req, RequestStatus status) + throws EProfileException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + CMS.debug("SubsystemGroupUpdater update starts"); + if (status != req.getRequestStatus()) { + return; + } + + X509CertImpl cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT); + if (cert == null) + return; + + IConfigStore mainConfig = CMS.getConfigStore(); + + int num = 0; + try { + num = mainConfig.getInteger("subsystem.count", 0); + } catch (Exception e) { + } + + IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + + String requestor_name = "subsystem"; + try { + requestor_name = req.getExtDataInString("requestor_name"); + } catch (Exception e1) { + // ignore + } + + // i.e. tps-1.2.3.4-4 + String id = requestor_name; + + num++; + mainConfig.putInteger("subsystem.count", num); + + try { + mainConfig.commit(false); + } catch (Exception e) { + } + String auditParams = "Scope;;users+Operation;;OP_ADD+source;;SubsystemGroupUpdater" + + "+Resource;;" + id + + "+fullname;;" + id + + "+state;;1" + + "+userType;;agentType+email;;+password;;+phone;;"; + + IUser user = null; + CMS.debug("SubsystemGroupUpdater adduser"); + try { + user = system.createUser(id); + user.setFullName(id); + user.setEmail(""); + user.setPassword(""); + user.setUserType("agentType"); + user.setState("1"); + user.setPhone(""); + X509CertImpl[] certs = new X509CertImpl[1]; + certs[0] = cert; + user.setX509Certificates(certs); + + system.addUser(user); + CMS.debug("SubsystemGroupUpdater update: successfully add the user"); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); + audit(auditMessage); + + String b64 = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + try { + byte[] certEncoded = cert.getEncoded(); + b64 = CMS.BtoA(certEncoded).trim(); + + // extract all line separators + StringBuffer sb = new StringBuffer(); + for (int i = 0; i < b64.length(); i++) { + if (!Character.isWhitespace(b64.charAt(i))) { + sb.append(b64.charAt(i)); + } + } + b64 = sb.toString(); + } catch (Exception ence) { + CMS.debug("SubsystemGroupUpdater update: user cert encoding failed: " + ence); + } + + auditParams = "Scope;;certs+Operation;;OP_ADD+source;;SubsystemGroupUpdater" + + "+Resource;;" + id + + "+cert;;" + b64; + + system.addUserCert(user); + CMS.debug("SubsystemGroupUpdater update: successfully add the user certificate"); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); + audit(auditMessage); + } catch (LDAPException e) { + CMS.debug("UpdateSubsystemGroup: update " + e.toString()); + if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams); + audit(auditMessage); + throw new EProfileException(e.toString()); + } + } catch (Exception e) { + CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString()); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams); + audit(auditMessage); + throw new EProfileException(e.toString()); + } + + IGroup group = null; + String groupName = "Subsystem Group"; + auditParams = "Scope;;groups+Operation;;OP_MODIFY+source;;SubsystemGroupUpdater" + + "+Resource;;" + groupName; + + try { + group = system.getGroupFromName(groupName); + + auditParams += "+user;;"; + Enumeration members = group.getMemberNames(); + while (members.hasMoreElements()) { + auditParams += members.nextElement(); + if (members.hasMoreElements()) { + auditParams += ","; + } + } + + if (!group.isMember(id)) { + auditParams += "," + id; + group.addMemberName(id); + system.modifyGroup(group); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams); + audit(auditMessage); + + CMS.debug("UpdateSubsystemGroup: update: successfully added the user to the group."); + } else { + CMS.debug("UpdateSubsystemGroup: update: user already a member of the group"); + } + } catch (Exception e) { + CMS.debug("UpdateSubsystemGroup update: modifyGroup " + e.toString()); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams); + audit(auditMessage); + } + } + + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_UPDATER_SUBSYSTEM_NAME"); + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_UPDATER_SUBSYSTEM_TEXT"); + } + + private void audit(String msg) { + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + private String auditSubjectID() { + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + return subjectID; + } +} -- cgit