// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; import java.util.Enumeration; import java.util.Locale; import java.util.StringTokenizer; import java.util.Vector; import netscape.security.provider.RSAPublicKey; import netscape.security.util.BigInt; import netscape.security.x509.AlgorithmId; import netscape.security.x509.CertificateX509Key; import netscape.security.x509.X509CertInfo; import netscape.security.x509.X509Key; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.policy.EPolicyException; import com.netscape.certsrv.policy.IEnrollmentPolicy; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; /** * RSAKeyConstraints policy enforces min and max size of the key. * Optionally checks the exponents. *
* *
* NOTE: The Policy Framework has been replaced by the Profile Framework. **
*
* @deprecated
* @version $Revision$, $Date$
*/
public class RSAKeyConstraints extends APolicyRule
implements IEnrollmentPolicy, IExtendedPluginInfo {
private Vector
*
* The entries probably are of the form:
*
* ra.Policy.rule.
*
* @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
PolicyResult result = PolicyResult.ACCEPTED;
try {
// Get the certificate info from the request
X509CertInfo certInfo[] =
req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
// There should be a certificate info set.
if (certInfo == null) {
setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
getInstanceName()), "");
return PolicyResult.REJECTED;
}
// Else check if the key size(s) are within the limit.
for (int i = 0; i < certInfo.length; i++) {
CertificateX509Key certKey = (CertificateX509Key)
certInfo[i].get(X509CertInfo.KEY);
X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY);
String alg = key.getAlgorithmId().toString();
if (!alg.equalsIgnoreCase(RSA))
continue;
X509Key newkey = null;
try {
newkey = new X509Key(AlgorithmId.get("RSA"),
key.getKey());
} catch (Exception e) {
CMS.debug("RSAKeyConstraints::apply() - "
+ "Exception=" + e.toString());
setError(req,
CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION",
getInstanceName()),
"");
return PolicyResult.REJECTED;
}
RSAPublicKey rsaKey = new RSAPublicKey(newkey.getEncoded());
int keySize = rsaKey.getKeySize();
if (keySize < mMinSize || keySize > mMaxSize) {
String[] params = { getInstanceName(),
String.valueOf(keySize),
String.valueOf(mMinSize),
String.valueOf(mMaxSize) };
setError(req, CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION",
params), "");
result = PolicyResult.REJECTED;
}
// If the exponents are configured, see if the key's
// exponent is a configured one.
if (mExponents.size() > 0) {
BigInt exp = rsaKey.getPublicExponent();
if (!mExponents.contains(exp)) {
StringBuffer sb = new StringBuffer();
for (Enumeration