From d0f2e4efbd3eb0f1d7f5a28e7f97c1fb4ec027bb Mon Sep 17 00:00:00 2001 From: PKI Team Date: Tue, 18 Mar 2008 22:36:57 +0000 Subject: Initial open source version based upon proprietary Red Hat Certificate System (RHCS) 7.3. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- .../constraint/NSCertTypeExtConstraint.java | 240 +++++++++++++++++++++ 1 file changed, 240 insertions(+) create mode 100644 pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java (limited to 'pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java') diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java new file mode 100644 index 000000000..471d5396c --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/NSCertTypeExtConstraint.java @@ -0,0 +1,240 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.constraint; + + +import java.util.*; +import java.io.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.apps.*; +import com.netscape.cms.profile.common.*; +import com.netscape.cms.profile.def.*; + +import netscape.security.x509.*; +import netscape.security.extensions.*; + + +/** + * This class implements the Netscape certificate type extension constraint. + * It checks if the Netscape certificate type extension in the certificate + * template satisfies the criteria. + * + * @version $Revision: 14561 $, $Date: 2007-05-01 10:28:56 -0700 (Tue, 01 May 2007) $ + */ +public class NSCertTypeExtConstraint extends EnrollConstraint { + + public static final String CONFIG_CRITICAL = "nsCertCritical"; + public static final String CONFIG_SSL_CLIENT = "nsCertSSLClient"; + public static final String CONFIG_SSL_SERVER = "nsCertSSLServer"; + public static final String CONFIG_EMAIL = "nsCertEmail"; + public static final String CONFIG_OBJECT_SIGNING = "nsCertObjectSigning"; + public static final String CONFIG_SSL_CA = "nsCertSSLCA"; + public static final String CONFIG_EMAIL_CA = "nsCertEmailCA"; + public static final String CONFIG_OBJECT_SIGNING_CA = "nsCertObjectSigningCA"; + + public NSCertTypeExtConstraint() { + super(); + addConfigName(CONFIG_CRITICAL); + addConfigName(CONFIG_SSL_CLIENT); + addConfigName(CONFIG_SSL_SERVER); + addConfigName(CONFIG_EMAIL); + addConfigName(CONFIG_OBJECT_SIGNING); + addConfigName(CONFIG_SSL_CA); + addConfigName(CONFIG_EMAIL_CA); + addConfigName(CONFIG_OBJECT_SIGNING_CA); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_CRITICAL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_CRITICAL")); + } else if (name.equals(CONFIG_SSL_CLIENT)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CLIENT")); + } else if (name.equals(CONFIG_SSL_SERVER)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_SERVER")); + } else if (name.equals(CONFIG_EMAIL)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL")); + } else if (name.equals(CONFIG_OBJECT_SIGNING)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_OBJECT_SIGNING")); + } else if (name.equals(CONFIG_SSL_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_SSL_CA")); + } else if (name.equals(CONFIG_EMAIL_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, "CMS_PROFILE_EMAIL_CA")); + } else if (name.equals(CONFIG_OBJECT_SIGNING_CA)) { + return new Descriptor(IDescriptor.CHOICE, "true,false,-", + "-", + CMS.getUserMessage(locale, + "CMS_PROFILE_OBJECT_SIGNING_CA")); + } + return null; + } + + /** + * Validates the request. The request is not modified + * during the validation. + */ + public void validate(IRequest request, X509CertInfo info) + throws ERejectException { + NSCertTypeExtension ext = (NSCertTypeExtension) + getExtension(NSCertTypeExtension.CertType_Id.toString(), info); + + if (ext == null) { + throw new ERejectException( + CMS.getUserMessage( + getLocale(request), + "CMS_PROFILE_EXTENSION_NOT_FOUND", + NSCertTypeExtension.CertType_Id.toString())); + } + + String value = getConfig(CONFIG_CRITICAL); + + if (!isOptional(value)) { + boolean critical = getBoolean(value); + + if (critical != ext.isCritical()) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_CRITICAL_NOT_MATCHED")); + } + } + value = getConfig(CONFIG_SSL_CLIENT); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(0)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SSL_CLIENT_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_SSL_SERVER); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(1)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SSL_SERVER_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_EMAIL); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(2)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EMAIL_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_OBJECT_SIGNING); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(3)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_OBJECT_SIGNING_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_SSL_CA); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(4)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_SSL_CA_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_EMAIL_CA); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(5)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_EMAIL_CA_NOT_MATCHED", + value)); + } + } + value = getConfig(CONFIG_OBJECT_SIGNING_CA); + if (!isOptional(value)) { + boolean bit = getBoolean(value); + + if (bit != ext.isSet(6)) { + throw new ERejectException( + CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_OBJECT_SIGNING_CA_NOT_MATCHED", + value)); + } + } + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_CRITICAL), + getConfig(CONFIG_SSL_CLIENT), + getConfig(CONFIG_SSL_SERVER), + getConfig(CONFIG_EMAIL), + getConfig(CONFIG_OBJECT_SIGNING), + getConfig(CONFIG_SSL_CA), + getConfig(CONFIG_EMAIL_CA), + getConfig(CONFIG_OBJECT_SIGNING_CA) + }; + + return CMS.getUserMessage(locale, + "CMS_PROFILE_CONSTRAINT_NS_CERT_EXT_TEXT", params); + } + + public boolean isApplicable(IPolicyDefault def) { + if (def instanceof NoDefault) + return true; + if (def instanceof NSCertTypeExtDefault) + return true; + if (def instanceof UserExtensionDefault) + return true; + return false; + } +} -- cgit