// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Locale; import java.util.Vector; import netscape.security.x509.CertificateChain; import netscape.security.x509.CertificateExtensions; import netscape.security.x509.CertificateVersion; import netscape.security.x509.KeyUsageExtension; import netscape.security.x509.X509CertInfo; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authority.ICertAuthority; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.policy.IEnrollmentPolicy; import com.netscape.certsrv.policy.IPolicyProcessor; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; /** * Policy to add Key Usage Extension. * Adds the key usage extension based on what's requested. *
* *
* NOTE: The Policy Framework has been replaced by the Profile Framework. **
* * @deprecated * @version $Revision$, $Date$ */ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { private final static String HTTP_INPUT = "HTTP_INPUT"; protected static final boolean[] DEF_BITS = new boolean[KeyUsageExtension.NBITS]; protected int mCAPathLen = -1; protected IConfigStore mConfig = null; protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_DIGITAL_SIGNATURE = "digitalSignature"; protected static final String PROP_NON_REPUDIATION = "nonRepudiation"; protected static final String PROP_KEY_ENCIPHERMENT = "keyEncipherment"; protected static final String PROP_DATA_ENCIPHERMENT = "dataEncipherment"; protected static final String PROP_KEY_AGREEMENT = "keyAgreement"; protected static final String PROP_KEY_CERTSIGN = "keyCertsign"; protected static final String PROP_CRL_SIGN = "crlSign"; protected static final String PROP_ENCIPHER_ONLY = "encipherOnly"; protected static final String PROP_DECIPHER_ONLY = "decipherOnly"; protected boolean mCritical; protected String mDigitalSignature; protected String mNonRepudiation; protected String mKeyEncipherment; protected String mDataEncipherment; protected String mKeyAgreement; protected String mKeyCertsign; protected String mCrlSign; protected String mEncipherOnly; protected String mDecipherOnly; protected KeyUsageExtension mKeyUsage; public KeyUsageExt() { NAME = "KeyUsageExtPolicy"; DESC = "Sets Key Usage Extension in certificates."; } /** * Initializes this policy rule. *
*
* The entries may be of the form:
*
* ca.Policy.rule.
*
* @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
X509CertInfo[] ci =
req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
if (ci == null || ci[0] == null) {
setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
return PolicyResult.REJECTED; // unrecoverable error.
}
for (int i = 0; i < ci.length; i++) {
PolicyResult certRes = applyCert(req, ci[i]);
if (certRes == PolicyResult.REJECTED)
return certRes;
}
return PolicyResult.ACCEPTED;
}
public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
try {
CertificateExtensions extensions = (CertificateExtensions)
certInfo.get(X509CertInfo.EXTENSIONS);
KeyUsageExtension ext = null;
if (extensions != null) {
try {
ext = (KeyUsageExtension)
extensions.get(KeyUsageExtension.NAME);
} catch (IOException e) {
// extension isn't there.
ext = null;
}
// check if CA does not allow subordinate CA certs.
// otherwise accept existing key usage extension.
if (ext != null) {
if (mCAPathLen == 0) {
boolean[] bits = ext.getBits();
if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT &&
bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) ||
(bits.length > KeyUsageExtension.CRL_SIGN_BIT &&
bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) {
setError(req,
CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"),
NAME);
return PolicyResult.REJECTED;
}
}
return PolicyResult.ACCEPTED;
}
} else {
// create extensions set if none.
if (extensions == null) {
certInfo.set(X509CertInfo.VERSION,
new CertificateVersion(CertificateVersion.V3));
extensions = new CertificateExtensions();
certInfo.set(X509CertInfo.EXTENSIONS, extensions);
}
}
boolean[] bits = new boolean[KeyUsageExtension.NBITS];
bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature",
mDigitalSignature, req);
bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation",
mNonRepudiation, req);
bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment",
mKeyEncipherment, req);
bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment",
mDataEncipherment, req);
bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement",
mKeyAgreement, req);
bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign",
mKeyCertsign, req);
bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, req);
bits[KeyUsageExtension.ENCIPHER_ONLY_BIT] = getBit("encipher_only",
mEncipherOnly, req);
bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only",
mDecipherOnly, req);
// don't allow no bits set or the extension does not
// encode/decode properlly.
boolean bitset = false;
for (int i = 0; i < bits.length; i++) {
if (bits[i]) {
bitset = true;
break;
}
}
if (!bitset) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME));
setError(req, CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"),
NAME);
return PolicyResult.REJECTED;
}
// create the extension.
try {
mKeyUsage = new KeyUsageExtension(mCritical, bits);
} catch (IOException e) {
}
extensions.set(KeyUsageExtension.NAME, mKeyUsage);
return PolicyResult.ACCEPTED;
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
NAME, e.getMessage());
return PolicyResult.REJECTED; // unrecoverable error.
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
NAME, "Certificate Info Error");
return PolicyResult.REJECTED; // unrecoverable error.
}
}
/**
* Return configured parameters for a policy rule instance.
*
* @return nvPairs A Vector of name/value pairs.
*/
public Vector