summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2011-12-08 21:15:59 -0500
committerAde Lee <alee@redhat.com>2011-12-08 21:15:59 -0500
commit171aaece4f23709d33d180cf36eb3af5e454b0c9 (patch)
tree1485f9f0a7bd10de4ff25030db575dbb8dafae74 /pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
parentadad2fcee8a29fdb82376fbce07dedb11fccc182 (diff)
downloadpki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.gz
pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.xz
pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.zip
Revert "Formatting"
This reverts commit 32150d3ee32f8ac27118af7c792794b538c78a2f.
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java235
1 files changed, 112 insertions, 123 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
index 213212fb..9d519284 100644
--- a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
+++ b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
@@ -17,6 +17,7 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.policy.constraints;
+
import java.util.Locale;
import java.util.StringTokenizer;
import java.util.Vector;
@@ -40,24 +41,23 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.PolicyResult;
import com.netscape.cms.policy.APolicyRule;
+
/**
- * SigningAlgorithmConstraints enforces that only a supported signing algorithm
- * be requested.
+ * SigningAlgorithmConstraints enforces that only a supported
+ * signing algorithm be requested.
* <P>
- *
* <PRE>
* NOTE: The Policy Framework has been replaced by the Profile Framework.
* </PRE>
* <P>
- *
+ *
* @deprecated
* @version $Revision$, $Date$
*/
-public class SigningAlgorithmConstraints extends APolicyRule implements
- IEnrollmentPolicy, IExtendedPluginInfo {
+public class SigningAlgorithmConstraints extends APolicyRule
+ implements IEnrollmentPolicy, IExtendedPluginInfo {
private String[] mAllowedAlgs = null; // algs allowed by this policy
- static String[] mDefaultAllowedAlgs = null; // default algs allowed by this
- // policy based on CA's key
+ static String[] mDefaultAllowedAlgs = null; // default algs allowed by this policy based on CA's key
private String[] mConfigAlgs = null; // algs listed in config file
private boolean winnowedByKey = false;
IAuthority mAuthority = null;
@@ -94,17 +94,17 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
/**
* Initializes this policy rule.
* <P>
- *
+ *
* The entries probably are of the form
- * ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints
- * ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA
- * ra.Policy.rule.<ruleName>.enable=true
- * ra.Policy.rule.<ruleName>.predicate=ou==Sales
- *
- * @param config The config store reference
+ * ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints
+ * ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA
+ * ra.Policy.rule.<ruleName>.enable=true
+ * ra.Policy.rule.<ruleName>.predicate=ou==Sales
+ *
+ * @param config The config store reference
*/
public void init(ISubsystem owner, IConfigStore config)
- throws EBaseException {
+ throws EBaseException {
mAuthority = (IAuthority) ((IPolicyProcessor) owner).getAuthority();
// Get allowed algorithms from config file
@@ -114,11 +114,10 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
try {
algNames = config.getString(PROP_ALGORITHMS, null);
} catch (Exception e) {
- String[] params = { getInstanceName(), e.toString(),
- PROP_ALGORITHMS };
+ String[] params = {getInstanceName(), e.toString(), PROP_ALGORITHMS};
- throw new EPolicyException(CMS.getUserMessage(
- "CMS_POLICY_PARAM_CONFIG_ERROR", params));
+ throw new EPolicyException(
+ CMS.getUserMessage("CMS_POLICY_PARAM_CONFIG_ERROR", params));
}
if (algNames != null) {
@@ -137,7 +136,7 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
for (int i = 0; i < itemCount; i++) {
mAllowedAlgs[i] = (String) algs.elementAt(i);
}
-
+
}
}
@@ -150,8 +149,8 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
if (mAllowedAlgs != null) {
// winnow out unknown algorithms
- winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS,
- "CMS_POLICY_UNKNOWN_SIGNING_ALG", true);
+ winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS,
+ "CMS_POLICY_UNKNOWN_SIGNING_ALG", true);
} else {
// if nothing was in the config file, allow all known algs
mAllowedAlgs = AlgorithmId.ALL_SIGNING_ALGORITHMS;
@@ -161,8 +160,8 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
winnowByKey();
if (mAllowedAlgs.length == 0) {
- throw new EPolicyException(CMS.getUserMessage(
- "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY", NAME));
+ throw new EPolicyException(
+ CMS.getUserMessage("CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY", NAME));
}
}
@@ -183,20 +182,20 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
}
// get list of algorithms allowed for the key
- String[] allowedByKey = ((ICertAuthority) mAuthority)
- .getCASigningAlgorithms();
+ String[] allowedByKey =
+ ((ICertAuthority) mAuthority).getCASigningAlgorithms();
if (allowedByKey != null) {
- // don't show algorithms that don't match CA's key in UI.
+ // don't show algorithms that don't match CA's key in UI.
mDefaultAllowedAlgs = new String[allowedByKey.length];
for (int i = 0; i < allowedByKey.length; i++)
mDefaultAllowedAlgs[i] = allowedByKey[i];
- // winnow out algorithms that don't match CA's signing key
- winnowAlgs(allowedByKey, "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1",
- false);
+ // winnow out algorithms that don't match CA's signing key
+ winnowAlgs(allowedByKey,
+ "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1", false);
winnowedByKey = true;
} else {
- // We don't know the CA's signing algorithms. Maybe we're
+ // We don't know the CA's signing algorithms. Maybe we're
// an RA that hasn't talked to the CA yet? Try again later.
}
}
@@ -204,15 +203,14 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
/**
* Winnows out of mAllowedAlgorithms those algorithms that aren't allowed
* for some reason.
- *
- * @param allowed An array of allowed algorithms. Only algorithms in this
- * list will survive the winnowing process.
- * @param reason A string describing the problem with an algorithm that is
- * not allowed by this list. Must be a predefined string in
- * PolicyResources.
+ *
+ * @param allowed An array of allowed algorithms. Only algorithms in this
+ * list will survive the winnowing process.
+ * @param reason A string describing the problem with an algorithm
+ * that is not allowed by this list. Must be a predefined string in PolicyResources.
*/
- private void winnowAlgs(String[] allowed, String reason, boolean isError)
- throws EBaseException {
+ private void winnowAlgs(String[] allowed, String reason, boolean isError)
+ throws EBaseException {
int i, j, goodSize;
// validate the currently-allowed algorithms
@@ -227,13 +225,12 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
}
// if algorithm is not allowed, log a warning
if (j == allowed.length) {
- EPolicyException e = new EPolicyException(CMS.getUserMessage(
- reason, NAME, mAllowedAlgs[i]));
+ EPolicyException e = new EPolicyException(CMS.getUserMessage(reason, NAME, mAllowedAlgs[i]));
if (isError) {
log(ILogger.LL_FAILURE, e.toString());
- throw new EPolicyException(CMS.getUserMessage(reason, NAME,
- mAllowedAlgs[i]));
+ throw new EPolicyException(CMS.getUserMessage(reason,
+ NAME, mAllowedAlgs[i]));
} else {
log(ILogger.LL_WARN, e.toString());
}
@@ -243,7 +240,7 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
// convert back into an array
goodSize = goodAlgs.size();
if (mAllowedAlgs.length != goodSize) {
- mAllowedAlgs = new String[goodSize];
+ mAllowedAlgs = new String[ goodSize ];
for (i = 0; i < goodSize; i++) {
mAllowedAlgs[i] = (String) goodAlgs.elementAt(i);
}
@@ -253,8 +250,8 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
/**
* Applies the policy on the given Request.
* <P>
- *
- * @param req The request on which to apply policy.
+ *
+ * @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
@@ -265,10 +262,9 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
try {
// Get the certificate info from the request
- // X509CertInfo certInfo[] = (X509CertInfo[])
- // req.get(IRequest.CERT_INFO);
- X509CertInfo certInfo[] = req
- .getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ //X509CertInfo certInfo[] = (X509CertInfo[])
+ // req.get(IRequest.CERT_INFO);
+ X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
// We need to have a certificate info set
if (certInfo == null) {
@@ -285,11 +281,11 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
winnowByKey();
}
- CertificateAlgorithmId certAlgId = (CertificateAlgorithmId) certInfo[i]
- .get(X509CertInfo.ALGORITHM_ID);
+ CertificateAlgorithmId certAlgId = (CertificateAlgorithmId)
+ certInfo[i].get(X509CertInfo.ALGORITHM_ID);
- AlgorithmId algId = (AlgorithmId) certAlgId
- .get(CertificateAlgorithmId.ALGORITHM);
+ AlgorithmId algId = (AlgorithmId)
+ certAlgId.get(CertificateAlgorithmId.ALGORITHM);
String alg = algId.getName();
// test against the list of allowed algorithms
@@ -301,28 +297,26 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
if (j == mAllowedAlgs.length) {
// if the algor doesn't match the CA's key replace
// it with one that does.
- if (mAllowedAlgs[0].equals("SHA1withDSA")
- || alg.equals("SHA1withDSA")) {
- certInfo[i].set(
- X509CertInfo.ALGORITHM_ID,
- new CertificateAlgorithmId(AlgorithmId
- .get(mAllowedAlgs[0])));
+ if (mAllowedAlgs[0].equals("SHA1withDSA") ||
+ alg.equals("SHA1withDSA")) {
+ certInfo[i].set(X509CertInfo.ALGORITHM_ID,
+ new CertificateAlgorithmId(
+ AlgorithmId.get(mAllowedAlgs[0])));
return PolicyResult.ACCEPTED;
}
// didn't find a match, alg not allowed
- setError(req, CMS.getUserMessage(
- "CMS_POLICY_SIGNING_ALG_VIOLATION",
+ setError(req, CMS.getUserMessage("CMS_POLICY_SIGNING_ALG_VIOLATION",
getInstanceName(), alg), "");
result = PolicyResult.REJECTED;
}
}
} catch (Exception e) {
// e.printStackTrace();
- String params[] = { getInstanceName(), e.toString() };
+ String params[] = {getInstanceName(), e.toString()};
- setError(req, CMS.getUserMessage(
- "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
+ setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
+ params), "");
result = PolicyResult.REJECTED;
}
return result;
@@ -330,10 +324,10 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
/**
* Return configured parameters for a policy rule instance.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector getInstanceParams() {
+ public Vector getInstanceParams() {
Vector confParams = new Vector();
StringBuffer sb = new StringBuffer();
@@ -349,10 +343,10 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
/**
* Return default parameters for a policy implementation.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector getDefaultParams() {
+ public Vector getDefaultParams() {
StringBuffer sb = new StringBuffer();
sb.append(PROP_ALGORITHMS);
sb.append("=");
@@ -371,73 +365,67 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
}
defConfParams.addElement(sb.toString());
- return defConfParams;
+ return defConfParams;
}
public String[] getExtendedPluginInfo(Locale locale) {
if (!winnowedByKey) {
- try {
- winnowByKey();
- } catch (Exception e) {
+ try {
+ winnowByKey();
+ } catch (Exception e) {
}
}
String[] params = null;
String[] params_BOTH = {
- PROP_ALGORITHMS
- + ";"
- + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA,"
- + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA,"
- + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA,"
- + "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA,"
- + "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA,"
- + "MD2withRSA\\,MD5withRSA\\,SHA1withDSA,"
- + "MD2withRSA\\,MD5withRSA,"
- + "MD2withRSA\\,SHA1withRSA,"
- + "MD2withRSA\\,SHA1withDSA,"
- + "MD5withRSA\\,SHA1withRSA,"
- + "MD5withRSA\\,SHA1withDSA,"
- + "SHA1withRSA\\,SHA1withDSA,"
- + "MD2withRSA,"
- + "MD5withRSA,"
- + "SHA1withRSA,"
- + "SHA1withDSA);List of algorithms to restrict the requested signing algorithm "
- + "to be one of the algorithms supported by Certificate System",
- IExtendedPluginInfo.HELP_TOKEN
- + ";configuration-policyrules-signingalgconstraints",
- IExtendedPluginInfo.HELP_TEXT
- + ";Restricts the requested signing algorithm to be one of"
- + " the algorithms supported by Certificate System" };
+ PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA," +
+ "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA,"+
+ "MD2withRSA\\,MD5withRSA\\,SHA1withRSA," +
+ "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA," +
+ "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," +
+ "MD2withRSA\\,MD5withRSA\\,SHA1withDSA," +
+ "MD2withRSA\\,MD5withRSA," +
+ "MD2withRSA\\,SHA1withRSA," +
+ "MD2withRSA\\,SHA1withDSA," +
+ "MD5withRSA\\,SHA1withRSA," +
+ "MD5withRSA\\,SHA1withDSA," +
+ "SHA1withRSA\\,SHA1withDSA," +
+ "MD2withRSA," +
+ "MD5withRSA," +
+ "SHA1withRSA," +
+ "SHA1withDSA);List of algorithms to restrict the requested signing algorithm " +
+ "to be one of the algorithms supported by Certificate System",
+ IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints",
+ IExtendedPluginInfo.HELP_TEXT +
+ ";Restricts the requested signing algorithm to be one of" +
+ " the algorithms supported by Certificate System"
+ };
String[] params_RSA = {
- PROP_ALGORITHMS
- + ";"
- + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA,"
- + "MD2withRSA\\,MD5withRSA,"
- + "MD2withRSA\\,SHA1withRSA,"
- + "MD5withRSA\\,SHA1withRSA,"
- + "MD2withRSA,"
- + "MD5withRSA,"
- + "SHA1withRSA);Restrict the requested signing algorithm to be "
- + "one of the algorithms supported by Certificate System",
- IExtendedPluginInfo.HELP_TOKEN
- + ";configuration-policyrules-signingalgconstraints",
- IExtendedPluginInfo.HELP_TEXT
- + ";Restricts the requested signing algorithm to be one of"
- + " the algorithms supported by Certificate System" };
+ PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA," +
+ "MD2withRSA\\,MD5withRSA," +
+ "MD2withRSA\\,SHA1withRSA," +
+ "MD5withRSA\\,SHA1withRSA," +
+ "MD2withRSA," +
+ "MD5withRSA," +
+ "SHA1withRSA);Restrict the requested signing algorithm to be " +
+ "one of the algorithms supported by Certificate System",
+ IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints",
+ IExtendedPluginInfo.HELP_TEXT +
+ ";Restricts the requested signing algorithm to be one of" +
+ " the algorithms supported by Certificate System"
+ };
String[] params_DSA = {
- PROP_ALGORITHMS
- + ";"
- + "choice(SHA1withDSA);Restrict the requested signing "
- + "algorithm to be one of the algorithms supported by Certificate "
- + "System",
- IExtendedPluginInfo.HELP_TOKEN
- + ";configuration-policyrules-signingalgconstraints",
- IExtendedPluginInfo.HELP_TEXT
- + ";Restricts the requested signing algorithm to be one of"
- + " the algorithms supported by Certificate System" };
+ PROP_ALGORITHMS + ";" + "choice(SHA1withDSA);Restrict the requested signing " +
+ "algorithm to be one of the algorithms supported by Certificate " +
+ "System",
+ IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints",
+ IExtendedPluginInfo.HELP_TEXT +
+ ";Restricts the requested signing algorithm to be one of" +
+ " the algorithms supported by Certificate System"
+ };
switch (mDefaultAllowedAlgs.length) {
case 1:
@@ -459,3 +447,4 @@ public class SigningAlgorithmConstraints extends APolicyRule implements
}
}
+
generated by cgit (git 2.34.1) at 2024-06-07 17:11:31 +0000