// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; import java.util.Vector; import netscape.security.x509.CertificateExtensions; import netscape.security.x509.CertificateVersion; import netscape.security.x509.GeneralSubtree; import netscape.security.x509.GeneralSubtrees; import netscape.security.x509.NameConstraintsExtension; import netscape.security.x509.X509CertInfo; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.policy.IEnrollmentPolicy; import com.netscape.certsrv.policy.IGeneralNameAsConstraintsConfig; import com.netscape.certsrv.policy.IPolicyProcessor; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; /** * Name Constraints Extension Policy * Adds the name constraints extension to a (CA) certificate. * Filtering of CA certificates is done through predicates. *

* *

 * NOTE:  The Policy Framework has been replaced by the Profile Framework.
 *

* * @deprecated * @version $Revision$, $Date$ */ public class NameConstraintsExt extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_NUM_PERMITTEDSUBTREES = "numPermittedSubtrees"; protected static final String PROP_NUM_EXCLUDEDSUBTREES = "numExcludedSubtrees"; protected static final String PROP_PERMITTEDSUBTREES = "permittedSubtrees"; protected static final String PROP_EXCLUDEDSUBTREES = "excludedSubtrees"; protected static final boolean DEF_CRITICAL = true; protected static final int DEF_NUM_PERMITTEDSUBTREES = 8; protected static final int DEF_NUM_EXCLUDEDSUBTREES = 8; protected boolean mEnabled = false; protected IConfigStore mConfig = null; protected boolean mCritical = DEF_CRITICAL; protected int mNumPermittedSubtrees = 0; protected int mNumExcludedSubtrees = 0; protected Subtree[] mPermittedSubtrees = null; protected Subtree[] mExcludedSubtrees = null; protected NameConstraintsExtension mNameConstraintsExtension = null; protected Vector mInstanceParams = new Vector(); public NameConstraintsExt() { NAME = "NameConstraintsExt"; DESC = "Sets Name Constraints Extension on subordinate CA certificates"; } /** * Initializes this policy rule. *

* * The entries may be of the form: * * ca.Policy.rule..predicate=certType==ca ca.Policy.rule..implName= * ca.Policy.rule..enable=true * * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) throws EBaseException { mConfig = config; // XXX should do do this ? // if CA does not allow subordinate CAs by way of basic constraints, // this policy always rejects /***** * ICertAuthority certAuthority = (ICertAuthority) * ((IPolicyProcessor)owner).getAuthority(); * if (certAuthority instanceof ICertificateAuthority) { * CertificateChain caChain = certAuthority.getCACertChain(); * X509Certificate caCert = null; * // Note that in RA the chain could be null if CA was not up when * // RA was started. In that case just set the length to -1 and let * // CA reject if it does not allow any subordinate CA certs. * if (caChain != null) { * caCert = caChain.getFirstCertificate(); * if (caCert != null) * mCAPathLen = caCert.getBasicConstraints(); * } * } ****/ mEnabled = mConfig.getBoolean( IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); mNumPermittedSubtrees = mConfig.getInteger( PROP_NUM_PERMITTEDSUBTREES, DEF_NUM_PERMITTEDSUBTREES); mNumExcludedSubtrees = mConfig.getInteger( PROP_NUM_EXCLUDEDSUBTREES, DEF_NUM_EXCLUDEDSUBTREES); if (mNumPermittedSubtrees < 0) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", PROP_NUM_PERMITTEDSUBTREES, "value must be greater than or equal to 0")); } if (mNumExcludedSubtrees < 0) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", PROP_NUM_EXCLUDEDSUBTREES, "value must be greater than or equal to 0")); } // init permitted subtrees if any. if (mNumPermittedSubtrees > 0) { mPermittedSubtrees = form_subtrees(PROP_PERMITTEDSUBTREES, mNumPermittedSubtrees); CMS.debug("NameConstraintsExt: formed permitted subtrees"); } // init excluded subtrees if any. if (mNumExcludedSubtrees > 0) { mExcludedSubtrees = form_subtrees(PROP_EXCLUDEDSUBTREES, mNumExcludedSubtrees); CMS.debug("NameConstraintsExt: formed excluded subtrees"); } // create instance of name constraints extension if enabled. if (mEnabled) { try { Vector permittedSubtrees = new Vector(); for (int i = 0; i < mNumPermittedSubtrees; i++) { permittedSubtrees.addElement( mPermittedSubtrees[i].mGeneralSubtree); } Vector excludedSubtrees = new Vector(); for (int j = 0; j < mNumExcludedSubtrees; j++) { excludedSubtrees.addElement( mExcludedSubtrees[j].mGeneralSubtree); } GeneralSubtrees psb = null; if (permittedSubtrees.size() > 0) { psb = new GeneralSubtrees(permittedSubtrees); } GeneralSubtrees esb = null; if (excludedSubtrees.size() > 0) { esb = new GeneralSubtrees(excludedSubtrees); } mNameConstraintsExtension = new NameConstraintsExtension(mCritical, psb, esb); CMS.debug("NameConstraintsExt: formed Name Constraints Extension " + mNameConstraintsExtension); } catch (IOException e) { throw new EBaseException( CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "Error initializing Name Constraints Extension: " + e)); } } // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement( PROP_NUM_PERMITTEDSUBTREES + "=" + mNumPermittedSubtrees); mInstanceParams.addElement( PROP_NUM_EXCLUDEDSUBTREES + "=" + mNumExcludedSubtrees); if (mNumPermittedSubtrees > 0) { for (int i = 0; i < mPermittedSubtrees.length; i++) mPermittedSubtrees[i].getInstanceParams(mInstanceParams); } if (mNumExcludedSubtrees > 0) { for (int j = 0; j < mExcludedSubtrees.length; j++) mExcludedSubtrees[j].getInstanceParams(mInstanceParams); } } Subtree[] form_subtrees(String subtreesName, int numSubtrees) throws EBaseException { Subtree[] subtrees = new Subtree[numSubtrees]; for (int i = 0; i < numSubtrees; i++) { String subtreeName = subtreesName + i; IConfigStore subtreeConfig = mConfig.getSubStore(subtreeName); Subtree subtree = new Subtree(subtreeName, subtreeConfig, mEnabled); subtrees[i] = subtree; } return subtrees; } /** * Adds Name Constraints Extension to a (CA) certificate. * * If a Name constraints Extension is already there, accept it if * it's been approved by agent, else replace it. * * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { // if extension hasn't been properly configured reject requests until // it has been resolved (or disabled). if (mNameConstraintsExtension == null) { //setError(req, PolicyResources.EXTENSION_NOT_INITED_1, NAME); //return PolicyResult.REJECTED; return PolicyResult.ACCEPTED; } // get certInfo from request. X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { PolicyResult certRes = applyCert(req, ci[i]); if (certRes == PolicyResult.REJECTED) return certRes; } return PolicyResult.ACCEPTED; } public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { // check if name constraints extension already exists. // if not agent approved, replace name constraints extension with ours. // else ignore. try { NameConstraintsExtension nameConstraintsExt = null; CertificateExtensions extensions = (CertificateExtensions) certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { nameConstraintsExt = (NameConstraintsExtension) extensions.get(NameConstraintsExtension.NAME); } } catch (IOException e) { // extension isn't there. } if (nameConstraintsExt != null) { if (agentApproved(req)) { CMS.debug( "NameConstraintsExt: request id from agent " + req.getRequestId() + " already has name constraints - accepted"); return PolicyResult.ACCEPTED; } else { CMS.debug( "NameConstraintsExt: request id " + req.getRequestId() + " from user " + " already has name constraints - deleted"); extensions.delete(NameConstraintsExtension.NAME); } } if (extensions == null) { certInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } extensions.set( NameConstraintsExtension.NAME, mNameConstraintsExtension); CMS.debug( "NameConstraintsExt: added Name Constraints Extension to request " + req.getRequestId()); return PolicyResult.ACCEPTED; } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_NAME_CONST_EXTENSION", e.getMessage())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } /** * Return configured parameters for a policy rule instance. * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { return mInstanceParams; } /** * Default config parameters. * To add more permitted or excluded subtrees, * increase the num to greater than 0 and more configuration params * will show up in the console. */ private static Vector mDefParams = new Vector(); static { mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); mDefParams.addElement( PROP_NUM_PERMITTEDSUBTREES + "=" + DEF_NUM_PERMITTEDSUBTREES); mDefParams.addElement( PROP_NUM_EXCLUDEDSUBTREES + "=" + DEF_NUM_EXCLUDEDSUBTREES); for (int k = 0; k < DEF_NUM_PERMITTEDSUBTREES; k++) { Subtree.getDefaultParams(PROP_PERMITTEDSUBTREES + k, mDefParams); } for (int l = 0; l < DEF_NUM_EXCLUDEDSUBTREES; l++) { Subtree.getDefaultParams(PROP_EXCLUDEDSUBTREES + l, mDefParams); } } /** * Return default parameters for a policy implementation. * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return mDefParams; } public String[] getExtendedPluginInfo(Locale locale) { Vector theparams = new Vector(); theparams.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST be critical."); theparams.addElement( PROP_NUM_PERMITTEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11"); theparams.addElement( PROP_NUM_EXCLUDEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11"); // now do the subtrees. for (int k = 0; k < DEF_NUM_PERMITTEDSUBTREES; k++) { Subtree.getExtendedPluginInfo(PROP_PERMITTEDSUBTREES + k, theparams); } for (int l = 0; l < DEF_NUM_EXCLUDEDSUBTREES; l++) { Subtree.getExtendedPluginInfo(PROP_EXCLUDEDSUBTREES + l, theparams); } theparams.addElement(IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-nameconstraints"); theparams.addElement(IExtendedPluginInfo.HELP_TEXT + ";Adds Name Constraints Extension. See RFC 2459"); String[] info = new String[theparams.size()]; theparams.copyInto(info); return info; } } /** * subtree configuration */ class Subtree { protected static final String PROP_BASE = "base"; protected static final String PROP_MIN = "min"; protected static final String PROP_MAX = "max"; protected static final int DEF_MIN = 0; protected static final int DEF_MAX = -1; // -1 (less than 0) means not set. protected static final String MINMAX_INFO = "number;See RFC 2459 section 4.2.1.11"; String mName = null; IConfigStore mConfig = null; int mMin = DEF_MIN, mMax = DEF_MAX; IGeneralNameAsConstraintsConfig mBase = null; GeneralSubtree mGeneralSubtree = null; String mNameDot = null; String mNameDotMin = null; String mNameDotMax = null; public Subtree( String subtreeName, IConfigStore config, boolean policyEnabled) throws EBaseException { mName = subtreeName; mConfig = config; if (mName != null) { mNameDot = mName + "."; mNameDotMin = mNameDot + PROP_MIN; mNameDotMax = mNameDot + PROP_MAX; } else { mNameDot = ""; mNameDotMin = PROP_MIN; mNameDotMax = PROP_MAX; } // necessary to expand/shrink # general names from console. if (mConfig.size() == 0) { mConfig.putInteger(mNameDotMin, mMin); mConfig.putInteger(mNameDotMax, mMax); // GeneralNameConfig will take care of stuff for generalname. } // if policy enabled get values to form the general subtree. mMin = mConfig.getInteger(PROP_MIN, DEF_MIN); mMax = mConfig.getInteger(PROP_MAX, DEF_MAX); if (mMax < -1) mMax = -1; mBase = CMS.createGeneralNameAsConstraintsConfig( mNameDot + PROP_BASE, mConfig.getSubStore(PROP_BASE), true, policyEnabled); if (policyEnabled) { mGeneralSubtree = new GeneralSubtree(mBase.getGeneralName(), mMin, mMax); } } void getInstanceParams(Vector instanceParams) { mBase.getInstanceParams(instanceParams); instanceParams.addElement(mNameDotMin + "=" + mMin); instanceParams.addElement(mNameDotMax + "=" + mMax); } static void getDefaultParams(String name, Vector params) { String nameDot = ""; if (name != null && name.length() >= 0) nameDot = name + "."; CMS.getGeneralNameConfigDefaultParams(nameDot + PROP_BASE, true, params); params.addElement(nameDot + PROP_MIN + "=" + DEF_MIN); params.addElement(nameDot + PROP_MAX + "=" + DEF_MAX); } static void getExtendedPluginInfo(String name, Vector info) { String nameDot = ""; if (name != null && name.length() > 0) nameDot = name + "."; CMS.getGeneralNameConfigExtendedPluginInfo(nameDot + PROP_BASE, true, info); info.addElement(nameDot + PROP_MIN + ";" + MINMAX_INFO); info.addElement(nameDot + PROP_MAX + ";" + MINMAX_INFO); } }