// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2012 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.cert; import java.util.Calendar; import java.util.StringTokenizer; import com.netscape.certsrv.cert.CertSearchRequest; import com.netscape.cmsutil.ldap.LDAPUtil; /** * @author jmagne * */ public class FilterBuilder { private final static String MATCH_EXACTLY = "exact"; private String searchFilter = null; private CertSearchRequest request = null; public FilterBuilder(CertSearchRequest request) { this.request = request; } public String buildFilter() { StringBuffer filter = new StringBuffer(); buildSerialNumberRangeFilter(filter); buildSubjectFilter(filter); buildRevokedByFilter(filter); buildRevokedOnFilter(filter); buildRevocationReasonFilter(filter); buildIssuedByFilter(filter); buildIssuedOnFilter(filter); buildValidNotBeforeFilter(filter); buildValidNotAfterFilter(filter); buildValidityLengthFilter(filter); buildCertTypeFilter(filter); searchFilter = filter.toString(); if (searchFilter != null && !searchFilter.equals("")) { searchFilter = "(&" + searchFilter + ")"; } return searchFilter; } private void buildSerialNumberRangeFilter(StringBuffer filter) { if (!request.getSerialNumberRangeInUse()) { return; } boolean changed = false; String serialFrom = request.getSerialFrom(); if (serialFrom != null && !serialFrom.equals("")) { filter.append("(certRecordId>=" + LDAPUtil.escapeFilter(serialFrom) + ")"); changed = true; } String serialTo = request.getSerialTo(); if (serialTo != null && !serialTo.equals("")) { filter.append("(certRecordId<=" + LDAPUtil.escapeFilter(serialTo) + ")"); changed = true; } if (!changed) { filter.append("(certRecordId=*)"); } } private void buildSubjectFilter(StringBuffer filter) { if (!request.getSubjectInUse()) { return; } StringBuffer lf = new StringBuffer(); String matchStr = null; boolean match = request.getMatchExactly(); if (match == true) { matchStr = MATCH_EXACTLY; } buildAVAFilter(request.getEmail(), "E", lf, matchStr); buildAVAFilter(request.getCommonName(), "CN", lf, matchStr); buildAVAFilter(request.getUserID(), "UID", lf, matchStr); buildAVAFilter(request.getOrgUnit(), "OU", lf, matchStr); buildAVAFilter(request.getOrg(), "O", lf, matchStr); buildAVAFilter(request.getLocality(), "L", lf, matchStr); buildAVAFilter(request.getState(), "ST", lf, matchStr); buildAVAFilter(request.getCountry(), "C", lf, matchStr); if (lf.length() == 0) { filter.append("(x509cert.subject=*)"); return; } if (matchStr != null && matchStr.equals(MATCH_EXACTLY)) { filter.append("(&"); filter.append(lf); filter.append(")"); } else { filter.append("(|"); filter.append(lf); filter.append(")"); } } private void buildRevokedByFilter(StringBuffer filter) { if (!request.getRevokedByInUse()) { return; } String revokedBy = request.getRevokedBy(); if (revokedBy == null || revokedBy.equals("")) { filter.append("(certRevokedBy=*)"); } else { filter.append("(certRevokedBy="); filter.append(LDAPUtil.escapeFilter(revokedBy)); filter.append(")"); } } private void buildDateFilter(String prefix, String outStr, long adjustment, StringBuffer filter) { if (prefix == null || prefix.length() == 0) return; long epoch = Long.parseLong(prefix); Calendar from = Calendar.getInstance(); from.setTimeInMillis(epoch); filter.append("("); filter.append(LDAPUtil.escapeFilter(outStr)); filter.append(Long.toString(from.getTimeInMillis() + adjustment)); filter.append(")"); } private void buildRevokedOnFilter(StringBuffer filter) { if (!request.getRevokedOnInUse()) { return; } buildDateFilter(request.getRevokedOnFrom(), "certRevokedOn>=", 0, filter); buildDateFilter(request.getRevokedOnTo(), "certRevokedOn<=", 86399999, filter); } private void buildRevocationReasonFilter(StringBuffer filter) { if (!request.getRevocationReasonInUse()) { return; } String reasons = request.getRevocationReason(); if (reasons == null) { return; } String queryCertFilter = null; StringTokenizer st = new StringTokenizer(reasons, ","); if (st.hasMoreTokens()) { filter.append("(|"); while (st.hasMoreTokens()) { String token = st.nextToken(); if (queryCertFilter == null) { queryCertFilter = ""; } filter.append("(x509cert.certRevoInfo="); filter.append(LDAPUtil.escapeFilter(token)); filter.append(")"); } filter.append(")"); } } private void buildIssuedByFilter(StringBuffer filter) { if (!request.getIssuedByInUse()) { return; } String issuedBy = request.getIssuedBy(); if (issuedBy == null || issuedBy.equals("")) { filter.append("(certIssuedBy=*)"); } else { filter.append("(certIssuedBy="); filter.append(LDAPUtil.escapeFilter(issuedBy)); filter.append(")"); } } private void buildIssuedOnFilter(StringBuffer filter) { if (!request.getIssuedOnInUse()) { return; } buildDateFilter(request.getIssuedOnFrom(), "certCreateTime>=", 0, filter); buildDateFilter(request.getIssuedOnTo(), "certCreateTime<=", 86399999, filter); } private void buildValidNotBeforeFilter(StringBuffer filter) { if (!request.getValidNotBeforeInUse()) { return; } buildDateFilter(request.getValidNotBeforeFrom(), "x509cert.notBefore>=", 0, filter); buildDateFilter(request.getValidNotBeforeTo(), "x509cert.notBefore<=", 86399999, filter); } private void buildValidNotAfterFilter(StringBuffer filter) { if (!request.getValidNotAfterInUse()) { return; } buildDateFilter(request.getValidNotAfterFrom(), "x509cert.notAfter>=", 0, filter); buildDateFilter(request.getValidNotAfterTo(), "x509cert.notAfter<=", 86399999, filter); } private void buildValidityLengthFilter(StringBuffer filter) { if (!request.getValidityLengthInUse()) { return; } String op = request.getValidityOperation(); long count = 0; try { count = Long.parseLong(request.getValidityCount()); } catch (NumberFormatException e) { // safely ignore } long unit = 0; try { unit = Long.parseLong(request.getValidityUnit()); } catch (NumberFormatException e) { // safely ignore } filter.append("("); filter.append("x509cert.duration"); filter.append(LDAPUtil.escapeFilter(op)); filter.append(count * unit); filter.append(")"); } private void buildCertTypeFilter(StringBuffer filter) { if (!request.getCertTypeInUse()) { return; } if (isOn(request.getCertTypeSSLClient())) { filter.append("(x509cert.nsExtension.SSLClient=on)"); } else if (isOff(request.getCertTypeSSLClient())) { filter.append("(x509cert.nsExtension.SSLClient=off)"); } if (isOn(request.getCertTypeSSLServer())) { filter.append("(x509cert.nsExtension.SSLServer=on)"); } else if (isOff(request.getCertTypeSSLServer())) { filter.append("(x509cert.nsExtension.SSLServer=off)"); } if (isOn(request.getCertTypeSecureEmail())) { filter.append("(x509cert.nsExtension.SecureEmail=on)"); } else if (isOff(request.getCertTypeSecureEmail())) { filter.append("(x509cert.nsExtension.SecureEmail=off)"); } if (isOn(request.getCertTypeSubSSLCA())) { filter.append("(x509cert.nsExtension.SubordinateSSLCA=on)"); } else if (isOff(request.getCertTypeSubSSLCA())) { filter.append("(x509cert.nsExtension.SubordinateSSLCA=off)"); } if (isOn(request.getCertTypeSubEmailCA())) { filter.append("(x509cert.nsExtension.SubordinateEmailCA=on)"); } else if (isOff(request.getCertTypeSubEmailCA())) { filter.append("(x509cert.nsExtension.SubordinateEmailCA=off)"); } } private boolean isOn(String value) { String inUse = value; if (inUse == null) { return false; } if (inUse.equals("on")) { return true; } return false; } private boolean isOff(String value) { String inUse = value; if (inUse == null) { return false; } if (inUse.equals("off")) { return true; } return false; } private void buildAVAFilter(String param, String avaName, StringBuffer lf, String match) { if (param != null && !param.equals("")) { if (match != null && match.equals(MATCH_EXACTLY)) { lf.append("(|"); lf.append("(x509cert.subject=*"); lf.append(avaName); lf.append("="); lf.append(LDAPUtil.escapeFilter(LDAPUtil.escapeRDNValue(param))); lf.append(",*)"); lf.append("(x509cert.subject=*"); lf.append(avaName); lf.append("="); lf.append(LDAPUtil.escapeFilter(LDAPUtil.escapeRDNValue(param))); lf.append(")"); lf.append(")"); } else { lf.append("(x509cert.subject=*"); lf.append(avaName); lf.append("="); lf.append("*"); lf.append(LDAPUtil.escapeFilter(LDAPUtil.escapeRDNValue(param))); lf.append("*)"); } } } }