// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; import java.util.Locale; import java.util.Vector; import netscape.security.x509.X500Name; import netscape.security.x509.X509CertInfo; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.policy.EPolicyException; import com.netscape.certsrv.policy.IEnrollmentPolicy; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; /** * IssuerConstraints is a rule for restricting the issuers of the * certificates used for certificate-based enrollments. *
* *
* NOTE: The Policy Framework has been replaced by the Profile Framework. **
* * @deprecated * @version $Revision$ $Date$ */ public class IssuerConstraints extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { private final static String PROP_ISSUER_DN = "issuerDN"; private static final String CLIENT_ISSUER = "clientIssuer"; private X500Name mIssuerDN = null; private String mIssuerDNString; /** * checks the issuer of the ssl client-auth cert. Only one issuer * is allowed for now */ public IssuerConstraints() { NAME = "IssuerConstraints"; DESC = "Checks to see if the Issuer is one allowed"; } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { PROP_ISSUER_DN + ";string;Subject DN of the Issuer. The IssuerDN of the authenticating cert must match what's specified here", IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-issuerconstraints", IExtendedPluginInfo.HELP_TEXT + ";Rejects the request if the issuer in the certificate is" + "not of the one specified" }; return params; } /** * Initializes this policy rule. *
* * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) throws EPolicyException { try { mIssuerDNString = config.getString(PROP_ISSUER_DN, null); if ((mIssuerDNString != null) && !mIssuerDNString.equals("")) { mIssuerDN = new X500Name(mIssuerDNString); } } catch (Exception e) { log(ILogger.LL_FAILURE, NAME + CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); String[] params = { getInstanceName(), e.toString() }; throw new EPolicyException( CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); } CMS.debug( NAME + ": init() done"); } /** * Applies the policy on the given Request. *
*
* @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
PolicyResult result = PolicyResult.ACCEPTED;
if (mIssuerDN == null)
return result;
try {
String clientIssuerDN = req.getExtDataInString(CLIENT_ISSUER);
if (clientIssuerDN != null) {
X500Name ci_name = new X500Name(clientIssuerDN);
if (!ci_name.equals(mIssuerDN)) {
setError(req,
CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER",
getInstanceName()), "");
result = PolicyResult.REJECTED;
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED"));
CMS.debug(
NAME + ": apply() - issuerDN mismatch: client issuerDN = " + clientIssuerDN
+ "; expected issuerDN = " + mIssuerDNString);
}
} else {
// Get the certificate info from the request
X509CertInfo certInfo[] =
req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
if (certInfo == null) {
log(ILogger.LL_FAILURE,
NAME + ": apply() - missing certInfo");
setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
getInstanceName()), "");
return PolicyResult.REJECTED;
}
for (int i = 0; i < certInfo.length; i++) {
String oldIssuer = (String)
certInfo[i].get(X509CertInfo.ISSUER).toString();
if (oldIssuer == null) {
setError(req,
CMS.getUserMessage("CMS_POLICY_CLIENT_ISSUER_NOT_FOUND",
getInstanceName()), "");
result = PolicyResult.REJECTED;
log(ILogger.LL_FAILURE,
NAME + ": apply() - client issuerDN not found");
}
X500Name oi_name = new X500Name(oldIssuer);
if (!oi_name.equals(mIssuerDN)) {
setError(req,
CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER",
getInstanceName()), "");
result = PolicyResult.REJECTED;
log(ILogger.LL_FAILURE,
NAME + ": apply() - cert issuerDN mismatch: client issuerDN = " + oldIssuer
+ "; expected issuerDN = " + mIssuerDNString);
}
}
}
} catch (Exception e) {
String params[] = { getInstanceName(), e.toString() };
setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
result = PolicyResult.REJECTED;
}
if (result.equals(PolicyResult.ACCEPTED)) {
log(ILogger.LL_INFO,
NAME + ": apply() - accepted");
}
return result;
}
/**
* Return configured parameters for a policy rule instance.
*
* @return nvPairs A Vector of name/value pairs.
*/
public Vector