// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; import java.util.*; import java.io.*; import java.security.cert.*; import com.netscape.certsrv.apps.*; import com.netscape.certsrv.base.*; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.certsrv.policy.*; import com.netscape.certsrv.base.*; import com.netscape.certsrv.authentication.*; import com.netscape.certsrv.common.*; import com.netscape.certsrv.logging.ILogger; import netscape.security.x509.*; import netscape.security.extensions.*; import netscape.ldap.*; import netscape.security.util.*; import com.netscape.cms.policy.APolicyRule; /** * Certificate Scope Of Use extension policy. This extension * is defined in draft-thayes-cert-scope-00.txt * * @version $Revision: 14561 $, $Date: 2007-05-01 10:28:56 -0700 (Tue, 01 May 2007) $ */ public class CertificateScopeOfUseExt extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_ENTRY = "entry"; protected static final String PROP_NAME = "name"; protected static final String PROP_NAME_TYPE = "name_type"; protected static final String PROP_PORT_NUMBER = "port_number"; public static final int MAX_ENTRY = 5; public IConfigStore mConfig = null; public CertificateScopeOfUseExt() { NAME = "CertificateScopeOfUseExt"; DESC = "Sets scope of use extension for certificates"; } public String[] getExtendedPluginInfo(Locale locale) { Vector v = new Vector(); v.addElement(PROP_CRITICAL + ";boolean; This extension may be either critical or non-critical."); v.addElement(IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-certificatescopeofuse"); v.addElement(IExtendedPluginInfo.HELP_TEXT + ";Adds Certificate Scope of Use Extension."); for (int i = 0; i < MAX_ENTRY; i++) { v.addElement(PROP_ENTRY + Integer.toString(i) + "_" + PROP_NAME + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO); v.addElement(PROP_ENTRY + Integer.toString(i) + "_" + PROP_NAME_TYPE + ";" + IGeneralNameUtil.GENNAME_CHOICE_INFO); v.addElement(PROP_ENTRY + Integer.toString(i) + "_" + PROP_PORT_NUMBER + ";string;" + "The port number (optional)."); } return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } /** * Initializes this policy rule. *
*
* The entries may be of the form:
*
* ca.Policy.rule.
*
* @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
PolicyResult res = PolicyResult.ACCEPTED;
X509CertInfo certInfo;
X509CertInfo[] ci = req.getExtDataInCertInfoArray(
IRequest.CERT_INFO);
if (ci == null) {
setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
return PolicyResult.REJECTED; // unrecoverable error.
}
for (int j = 0; j < ci.length; j++) {
certInfo = ci[j];
if (certInfo == null) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CA_CERT_INFO_ERROR", NAME));
setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
NAME, "Configuration Info Error");
return PolicyResult.REJECTED; // unrecoverable error.
}
try {
// Find the extensions in the certInfo
CertificateExtensions extensions = (CertificateExtensions)
certInfo.get(X509CertInfo.EXTENSIONS);
// add access descriptions
Vector entries = getScopeEntries();
if (entries.size() == 0) {
return res;
}
if (extensions == null) {
// create extension if not exist
certInfo.set(X509CertInfo.VERSION,
new CertificateVersion(CertificateVersion.V3));
extensions = new CertificateExtensions();
certInfo.set(X509CertInfo.EXTENSIONS, extensions);
} else {
// check to see if AIA is already exist
try {
extensions.delete(CertificateScopeOfUseExtension.NAME);
log(ILogger.LL_INFO, "Previous extension deleted: " + CertificateScopeOfUseExtension.NAME);
} catch (IOException ex) {
}
}
// Create the extension
CertificateScopeOfUseExtension suExt = new
CertificateScopeOfUseExtension(mConfig.getBoolean(
PROP_CRITICAL, false), entries);
extensions.set(CertificateScopeOfUseExtension.NAME, suExt);
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
NAME, e.getMessage());
return PolicyResult.REJECTED; // unrecoverable error.
} catch (EBaseException e) {
log(ILogger.LL_FAILURE,
"Configuration Info Error encountered: " +
e.getMessage());
setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
NAME, "Configuration Info Error");
return PolicyResult.REJECTED; // unrecoverable error.
} catch (CertificateException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
NAME, "Certificate Info Error");
return PolicyResult.REJECTED; // unrecoverable error.
}
}
return res;
}
/**
* Return configured parameters for a policy rule instance.
*
* @return nvPairs A Vector of name/value pairs.
*/
public Vector getInstanceParams() {
Vector params = new Vector();
try {
params.addElement(PROP_CRITICAL + "=" +
mConfig.getBoolean(PROP_CRITICAL, false));
} catch (EBaseException e) {
}
for (int i = 0;; i++) {
String name_type = null;
try {
name_type = mConfig.getString(PROP_ENTRY +
Integer.toString(i) + "_" + PROP_NAME_TYPE,
null);
} catch (EBaseException e) {
}
if (name_type == null)
break;
params.addElement(PROP_ENTRY +
Integer.toString(i) +
"_" + PROP_NAME_TYPE + "=" + name_type);
String name = null;
try {
name = mConfig.getString(PROP_ENTRY +
Integer.toString(i) + "_" + PROP_NAME,
null);
} catch (EBaseException e) {
}
if (name == null)
break;
params.addElement(PROP_ENTRY +
Integer.toString(i) +
"_" + PROP_NAME + "=" + name);
String port = null;
try {
port = mConfig.getString(PROP_ENTRY +
Integer.toString(i) + "_" + PROP_PORT_NUMBER,
"");
} catch (EBaseException e) {
}
params.addElement(PROP_ENTRY +
Integer.toString(i) +
"_" + PROP_PORT_NUMBER + "=" + port);
}
return params;
}
/**
* Return default parameters for a policy implementation.
*
* @return nvPairs A Vector of name/value pairs.
*/
public Vector getDefaultParams() {
Vector defParams = new Vector();
defParams.addElement(PROP_CRITICAL + "=false");
//
// By default, we create MAX_AD access descriptions.
// If this is not enough, admin can manually edit
// the CMS.cfg
//
for (int i = 0; i < MAX_ENTRY; i++) {
defParams.addElement(PROP_ENTRY + Integer.toString(i) +
"_" + PROP_NAME_TYPE + "=");
defParams.addElement(PROP_ENTRY + Integer.toString(i) +
"_" + PROP_NAME + "=");
defParams.addElement(PROP_ENTRY + Integer.toString(i) +
"_" + PROP_PORT_NUMBER + "=");
}
return defParams;
}
}