// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; import java.io.IOException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.util.Locale; import java.util.Vector; import netscape.security.x509.CertificateExtensions; import netscape.security.x509.CertificateVersion; import netscape.security.x509.CertificateX509Key; import netscape.security.x509.KeyIdentifier; import netscape.security.x509.SubjectKeyIdentifierExtension; import netscape.security.x509.X509CertInfo; import netscape.security.x509.X509Key; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.policy.EPolicyException; import com.netscape.certsrv.policy.IEnrollmentPolicy; import com.netscape.certsrv.policy.IPolicyProcessor; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; /** * Subject Public Key Extension Policy * Adds the subject public key id extension to certificates. *
* *
* NOTE: The Policy Framework has been replaced by the Profile Framework. **
*
* @deprecated
* @version $Revision$, $Date$
*/
public class SubjectKeyIdentifierExt extends APolicyRule
implements IEnrollmentPolicy, IExtendedPluginInfo {
protected static final String PROP_CRITICAL = "critical";
protected static final String PROP_KEYID_TYPE = "keyIdentifierType";
protected static final String PROP_REQATTR_NAME = "requestAttrName";
protected static final String KEYID_TYPE_SHA1 = "SHA1";
protected static final String KEYID_TYPE_TYPEFIELD = "TypeField";
protected static final String KEYID_TYPE_SPKISHA1 = "SpkiSHA1";
protected static final String KEYID_TYPE_REQATTR = "RequestAttribute";
protected static final boolean DEF_CRITICAL = false;
protected static final String DEF_KEYID_TYPE = KEYID_TYPE_SHA1;
protected static final String DEF_REQATTR_NAME = "KeyIdentifier";
protected boolean mEnabled = false;
protected IConfigStore mConfig = null;
protected boolean mCritical = DEF_CRITICAL;
protected String mKeyIdType = DEF_KEYID_TYPE;;
protected String mReqAttrName = DEF_REQATTR_NAME;
protected Vector
*
* The entries may be of the form:
*
* ca.Policy.rule.
*
* @param certInfo Certificate Info
* @param req request
* @return A Key Identifier.
*/
protected KeyIdentifier formKeyIdentifier(
X509CertInfo certInfo, IRequest req) throws EBaseException {
KeyIdentifier keyId = null;
if (mKeyIdType == KEYID_TYPE_SHA1) {
keyId = formSHA1KeyId(certInfo);
} else if (mKeyIdType == KEYID_TYPE_TYPEFIELD) {
keyId = formTypeFieldKeyId(certInfo);
} /*
else if (mKeyIdType == KEYID_TYPE_REQATTR) {
keyId = formReqAttrKeyId(certInfo, req);
}
*/else if (mKeyIdType == KEYID_TYPE_SPKISHA1) {
keyId = formSpkiSHA1KeyId(certInfo);
} else {
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE",
mKeyIdType, "Unknown Key Identifier type."));
}
return keyId;
}
/**
* Form key identifier from a type field value of 0100 followed by
* the least significate 60 bits of the sha-1 hash of the subject
* public key BIT STRING in accordance with RFC 2459.
*
*
* @param certInfo - certificate info
* @return A Key Identifier with value formulatd as described.
*/
protected KeyIdentifier formTypeFieldKeyId(X509CertInfo certInfo)
throws EBaseException {
KeyIdentifier keyId = null;
X509Key key = null;
try {
CertificateX509Key certKey =
(CertificateX509Key) certInfo.get(X509CertInfo.KEY);
if (certKey == null) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME));
throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME));
}
key = (X509Key) certKey.get(CertificateX509Key.KEY);
if (key == null) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME));
throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME));
}
} catch (IOException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString()));
throw new EPolicyException(
CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
} catch (CertificateException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString()));
throw new EPolicyException(
CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
}
try {
byte[] octetString = new byte[8];
MessageDigest md = MessageDigest.getInstance("SHA-1");
md.update(key.getKey());
byte[] hash = md.digest();
System.arraycopy(hash, hash.length - 8, octetString, 0, 8);
octetString[0] &= (0x08f & octetString[0]);
keyId = new KeyIdentifier(octetString);
} catch (NoSuchAlgorithmException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME));
throw new EPolicyException(
CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME));
}
return keyId;
}
/**
* Return configured parameters for a policy rule instance.
*
* @return nvPairs A Vector of name/value pairs.
*/
public Vector