diff options
author | Ade Lee <alee@redhat.com> | 2011-12-08 21:15:59 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2011-12-08 21:15:59 -0500 |
commit | 171aaece4f23709d33d180cf36eb3af5e454b0c9 (patch) | |
tree | 1485f9f0a7bd10de4ff25030db575dbb8dafae74 /pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java | |
parent | adad2fcee8a29fdb82376fbce07dedb11fccc182 (diff) | |
download | pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.gz pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.xz pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.zip |
Revert "Formatting"
This reverts commit 32150d3ee32f8ac27118af7c792794b538c78a2f.
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java | 235 |
1 files changed, 112 insertions, 123 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java index 213212fb..9d519284 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Locale; import java.util.StringTokenizer; import java.util.Vector; @@ -40,24 +41,23 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * SigningAlgorithmConstraints enforces that only a supported signing algorithm - * be requested. + * SigningAlgorithmConstraints enforces that only a supported + * signing algorithm be requested. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SigningAlgorithmConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class SigningAlgorithmConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { private String[] mAllowedAlgs = null; // algs allowed by this policy - static String[] mDefaultAllowedAlgs = null; // default algs allowed by this - // policy based on CA's key + static String[] mDefaultAllowedAlgs = null; // default algs allowed by this policy based on CA's key private String[] mConfigAlgs = null; // algs listed in config file private boolean winnowedByKey = false; IAuthority mAuthority = null; @@ -94,17 +94,17 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form - * ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints - * ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints + * ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mAuthority = (IAuthority) ((IPolicyProcessor) owner).getAuthority(); // Get allowed algorithms from config file @@ -114,11 +114,10 @@ public class SigningAlgorithmConstraints extends APolicyRule implements try { algNames = config.getString(PROP_ALGORITHMS, null); } catch (Exception e) { - String[] params = { getInstanceName(), e.toString(), - PROP_ALGORITHMS }; + String[] params = {getInstanceName(), e.toString(), PROP_ALGORITHMS}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PARAM_CONFIG_ERROR", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PARAM_CONFIG_ERROR", params)); } if (algNames != null) { @@ -137,7 +136,7 @@ public class SigningAlgorithmConstraints extends APolicyRule implements for (int i = 0; i < itemCount; i++) { mAllowedAlgs[i] = (String) algs.elementAt(i); } - + } } @@ -150,8 +149,8 @@ public class SigningAlgorithmConstraints extends APolicyRule implements if (mAllowedAlgs != null) { // winnow out unknown algorithms - winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS, - "CMS_POLICY_UNKNOWN_SIGNING_ALG", true); + winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS, + "CMS_POLICY_UNKNOWN_SIGNING_ALG", true); } else { // if nothing was in the config file, allow all known algs mAllowedAlgs = AlgorithmId.ALL_SIGNING_ALGORITHMS; @@ -161,8 +160,8 @@ public class SigningAlgorithmConstraints extends APolicyRule implements winnowByKey(); if (mAllowedAlgs.length == 0) { - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY", NAME)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY", NAME)); } } @@ -183,20 +182,20 @@ public class SigningAlgorithmConstraints extends APolicyRule implements } // get list of algorithms allowed for the key - String[] allowedByKey = ((ICertAuthority) mAuthority) - .getCASigningAlgorithms(); + String[] allowedByKey = + ((ICertAuthority) mAuthority).getCASigningAlgorithms(); if (allowedByKey != null) { - // don't show algorithms that don't match CA's key in UI. + // don't show algorithms that don't match CA's key in UI. mDefaultAllowedAlgs = new String[allowedByKey.length]; for (int i = 0; i < allowedByKey.length; i++) mDefaultAllowedAlgs[i] = allowedByKey[i]; - // winnow out algorithms that don't match CA's signing key - winnowAlgs(allowedByKey, "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1", - false); + // winnow out algorithms that don't match CA's signing key + winnowAlgs(allowedByKey, + "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1", false); winnowedByKey = true; } else { - // We don't know the CA's signing algorithms. Maybe we're + // We don't know the CA's signing algorithms. Maybe we're // an RA that hasn't talked to the CA yet? Try again later. } } @@ -204,15 +203,14 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Winnows out of mAllowedAlgorithms those algorithms that aren't allowed * for some reason. - * - * @param allowed An array of allowed algorithms. Only algorithms in this - * list will survive the winnowing process. - * @param reason A string describing the problem with an algorithm that is - * not allowed by this list. Must be a predefined string in - * PolicyResources. + * + * @param allowed An array of allowed algorithms. Only algorithms in this + * list will survive the winnowing process. + * @param reason A string describing the problem with an algorithm + * that is not allowed by this list. Must be a predefined string in PolicyResources. */ - private void winnowAlgs(String[] allowed, String reason, boolean isError) - throws EBaseException { + private void winnowAlgs(String[] allowed, String reason, boolean isError) + throws EBaseException { int i, j, goodSize; // validate the currently-allowed algorithms @@ -227,13 +225,12 @@ public class SigningAlgorithmConstraints extends APolicyRule implements } // if algorithm is not allowed, log a warning if (j == allowed.length) { - EPolicyException e = new EPolicyException(CMS.getUserMessage( - reason, NAME, mAllowedAlgs[i])); + EPolicyException e = new EPolicyException(CMS.getUserMessage(reason, NAME, mAllowedAlgs[i])); if (isError) { log(ILogger.LL_FAILURE, e.toString()); - throw new EPolicyException(CMS.getUserMessage(reason, NAME, - mAllowedAlgs[i])); + throw new EPolicyException(CMS.getUserMessage(reason, + NAME, mAllowedAlgs[i])); } else { log(ILogger.LL_WARN, e.toString()); } @@ -243,7 +240,7 @@ public class SigningAlgorithmConstraints extends APolicyRule implements // convert back into an array goodSize = goodAlgs.size(); if (mAllowedAlgs.length != goodSize) { - mAllowedAlgs = new String[goodSize]; + mAllowedAlgs = new String[ goodSize ]; for (i = 0; i < goodSize; i++) { mAllowedAlgs[i] = (String) goodAlgs.elementAt(i); } @@ -253,8 +250,8 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -265,10 +262,9 @@ public class SigningAlgorithmConstraints extends APolicyRule implements try { // Get the certificate info from the request - // X509CertInfo certInfo[] = (X509CertInfo[]) - // req.get(IRequest.CERT_INFO); - X509CertInfo certInfo[] = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); + //X509CertInfo certInfo[] = (X509CertInfo[]) + // req.get(IRequest.CERT_INFO); + X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // We need to have a certificate info set if (certInfo == null) { @@ -285,11 +281,11 @@ public class SigningAlgorithmConstraints extends APolicyRule implements winnowByKey(); } - CertificateAlgorithmId certAlgId = (CertificateAlgorithmId) certInfo[i] - .get(X509CertInfo.ALGORITHM_ID); + CertificateAlgorithmId certAlgId = (CertificateAlgorithmId) + certInfo[i].get(X509CertInfo.ALGORITHM_ID); - AlgorithmId algId = (AlgorithmId) certAlgId - .get(CertificateAlgorithmId.ALGORITHM); + AlgorithmId algId = (AlgorithmId) + certAlgId.get(CertificateAlgorithmId.ALGORITHM); String alg = algId.getName(); // test against the list of allowed algorithms @@ -301,28 +297,26 @@ public class SigningAlgorithmConstraints extends APolicyRule implements if (j == mAllowedAlgs.length) { // if the algor doesn't match the CA's key replace // it with one that does. - if (mAllowedAlgs[0].equals("SHA1withDSA") - || alg.equals("SHA1withDSA")) { - certInfo[i].set( - X509CertInfo.ALGORITHM_ID, - new CertificateAlgorithmId(AlgorithmId - .get(mAllowedAlgs[0]))); + if (mAllowedAlgs[0].equals("SHA1withDSA") || + alg.equals("SHA1withDSA")) { + certInfo[i].set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId( + AlgorithmId.get(mAllowedAlgs[0]))); return PolicyResult.ACCEPTED; } // didn't find a match, alg not allowed - setError(req, CMS.getUserMessage( - "CMS_POLICY_SIGNING_ALG_VIOLATION", + setError(req, CMS.getUserMessage("CMS_POLICY_SIGNING_ALG_VIOLATION", getInstanceName(), alg), ""); result = PolicyResult.REJECTED; } } } catch (Exception e) { // e.printStackTrace(); - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + params), ""); result = PolicyResult.REJECTED; } return result; @@ -330,10 +324,10 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector confParams = new Vector(); StringBuffer sb = new StringBuffer(); @@ -349,10 +343,10 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { StringBuffer sb = new StringBuffer(); sb.append(PROP_ALGORITHMS); sb.append("="); @@ -371,73 +365,67 @@ public class SigningAlgorithmConstraints extends APolicyRule implements } defConfParams.addElement(sb.toString()); - return defConfParams; + return defConfParams; } public String[] getExtendedPluginInfo(Locale locale) { if (!winnowedByKey) { - try { - winnowByKey(); - } catch (Exception e) { + try { + winnowByKey(); + } catch (Exception e) { } } String[] params = null; String[] params_BOTH = { - PROP_ALGORITHMS - + ";" - + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA," - + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," - + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA," - + "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA," - + "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," - + "MD2withRSA\\,MD5withRSA\\,SHA1withDSA," - + "MD2withRSA\\,MD5withRSA," - + "MD2withRSA\\,SHA1withRSA," - + "MD2withRSA\\,SHA1withDSA," - + "MD5withRSA\\,SHA1withRSA," - + "MD5withRSA\\,SHA1withDSA," - + "SHA1withRSA\\,SHA1withDSA," - + "MD2withRSA," - + "MD5withRSA," - + "SHA1withRSA," - + "SHA1withDSA);List of algorithms to restrict the requested signing algorithm " - + "to be one of the algorithms supported by Certificate System", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-signingalgconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Restricts the requested signing algorithm to be one of" - + " the algorithms supported by Certificate System" }; + PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA," + + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA,"+ + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA," + + "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA," + + "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," + + "MD2withRSA\\,MD5withRSA\\,SHA1withDSA," + + "MD2withRSA\\,MD5withRSA," + + "MD2withRSA\\,SHA1withRSA," + + "MD2withRSA\\,SHA1withDSA," + + "MD5withRSA\\,SHA1withRSA," + + "MD5withRSA\\,SHA1withDSA," + + "SHA1withRSA\\,SHA1withDSA," + + "MD2withRSA," + + "MD5withRSA," + + "SHA1withRSA," + + "SHA1withDSA);List of algorithms to restrict the requested signing algorithm " + + "to be one of the algorithms supported by Certificate System", + IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Restricts the requested signing algorithm to be one of" + + " the algorithms supported by Certificate System" + }; String[] params_RSA = { - PROP_ALGORITHMS - + ";" - + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA," - + "MD2withRSA\\,MD5withRSA," - + "MD2withRSA\\,SHA1withRSA," - + "MD5withRSA\\,SHA1withRSA," - + "MD2withRSA," - + "MD5withRSA," - + "SHA1withRSA);Restrict the requested signing algorithm to be " - + "one of the algorithms supported by Certificate System", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-signingalgconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Restricts the requested signing algorithm to be one of" - + " the algorithms supported by Certificate System" }; + PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA," + + "MD2withRSA\\,MD5withRSA," + + "MD2withRSA\\,SHA1withRSA," + + "MD5withRSA\\,SHA1withRSA," + + "MD2withRSA," + + "MD5withRSA," + + "SHA1withRSA);Restrict the requested signing algorithm to be " + + "one of the algorithms supported by Certificate System", + IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Restricts the requested signing algorithm to be one of" + + " the algorithms supported by Certificate System" + }; String[] params_DSA = { - PROP_ALGORITHMS - + ";" - + "choice(SHA1withDSA);Restrict the requested signing " - + "algorithm to be one of the algorithms supported by Certificate " - + "System", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-signingalgconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Restricts the requested signing algorithm to be one of" - + " the algorithms supported by Certificate System" }; + PROP_ALGORITHMS + ";" + "choice(SHA1withDSA);Restrict the requested signing " + + "algorithm to be one of the algorithms supported by Certificate " + + "System", + IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Restricts the requested signing algorithm to be one of" + + " the algorithms supported by Certificate System" + }; switch (mDefaultAllowedAlgs.length) { case 1: @@ -459,3 +447,4 @@ public class SigningAlgorithmConstraints extends APolicyRule implements } } + |