// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; import java.util.Vector; import netscape.security.x509.CertificateExtensions; import netscape.security.x509.CertificateVersion; import netscape.security.x509.GeneralNames; import netscape.security.x509.RFC822Name; import netscape.security.x509.SubjectAlternativeNameExtension; import netscape.security.x509.X509CertInfo; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.policy.IEnrollmentPolicy; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; /** * * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2. * New Policy is com.netscape.certsrv.policy.SubjectAltNameExt. *
* * Subject Alternative Name extension policy in CMS 4.1. * * Adds the subject alternative name extension depending on the certificate type requested. * * Two forms are supported. 1) For S/MIME certificates, email addresses are copied from data stored in the request by * the authentication component. Both 'e' and 'altEmail' are supported so that both the primary address and alternative * forms may be certified. Only the primary goes in the subjectName position (which should be phased out). * * e mailAlternateAddress *
* *
* NOTE: The Policy Framework has been replaced by the Profile Framework. **
* * @deprecated * @version $Revision$, $Date$ */ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { // for future use. currently always allow. protected static final String PROP_AGENT_OVERR = "allowAgentOverride"; protected static final String PROP_EE_OVERR = "AllowEEOverride"; protected static final String PROP_ENABLE_MANUAL_VALUES = "enableManualValues"; // for future use. currently always non-critical // (standard says SHOULD be marked critical if included.) protected static final String PROP_CRITICAL = "critical"; // for future use to allow overrides from forms. // request must be agent approved or authenticated. protected boolean mAllowAgentOverride = false; protected boolean mAllowEEOverride = false; protected boolean mEnableManualValues = false; // for future use. currently always critical // (standard says SHOULD be marked critical if included.) protected boolean mCritical = false; public SubjAltNameExt() { NAME = "SubjAltNameExt"; DESC = "Sets alternative subject names for certificates"; } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { PROP_CRITICAL + ";boolean;RFC 2459 recommendation: If the certificate subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.", IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-subjaltname", IExtendedPluginInfo.HELP_TEXT + ";This policy inserts the Subject Alternative Name " + "Extension into the certificate. See RFC 2459 (4.2.1.7). " + "* Note: you probably want to use this policy in " + "conjunction with an authentication manager which sets " + "the 'mail' or 'mailalternateaddress' values in the authToken. " + "See the 'ldapStringAttrs' parameter in the Directory-based " + "authentication plugin" }; return params; } /** * Initializes this policy rule. *
*
* The entries may be of the form:
*
* ra.Policy.rule.
*
* @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
PolicyResult res = PolicyResult.ACCEPTED;
// Find the X509CertInfo object in the request
X509CertInfo[] ci =
req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
if (ci == null || ci[0] == null) {
setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
return PolicyResult.REJECTED; // unrecoverable error.
}
for (int i = 0; i < ci.length; i++) {
PolicyResult certRes = applyCert(req, ci[i]);
if (certRes == PolicyResult.REJECTED)
return certRes;
}
return res;
}
public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
PolicyResult res = PolicyResult.ACCEPTED;
//
// General error handling block
//
apply: try {
// Find the extensions in the certInfo
CertificateExtensions extensions = (CertificateExtensions)
certInfo.get(X509CertInfo.EXTENSIONS);
if (extensions != null) {
//
// Remove any previously computed version of the extension
//
try {
extensions.delete(SubjectAlternativeNameExtension.NAME);
} catch (IOException e) {
// extension isn't there
}
}
//
// Determine the type of the request. For future expansion
// this test should dispatch to a specialized object to
// handle each particular type. For now just return for
// non-client certs, and implement client certs directly here.
//
String certType =
req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE);
if (certType == null ||
!certType.equals(IRequest.CLIENT_CERT) ||
!req.getExtDataInBoolean(IRequest.SMIME, false)) {
break apply;
}
// Create a list of email addresses that should be added
// to the certificate
IAuthToken tok = findAuthToken(req, null);
if (tok == null)
break apply;
Vector