summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java235
1 files changed, 123 insertions, 112 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
index 9d519284..213212fb 100644
--- a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
+++ b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.policy.constraints;
-
import java.util.Locale;
import java.util.StringTokenizer;
import java.util.Vector;
@@ -41,23 +40,24 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.PolicyResult;
import com.netscape.cms.policy.APolicyRule;
-
/**
- * SigningAlgorithmConstraints enforces that only a supported
- * signing algorithm be requested.
+ * SigningAlgorithmConstraints enforces that only a supported signing algorithm
+ * be requested.
* <P>
+ *
* <PRE>
* NOTE: The Policy Framework has been replaced by the Profile Framework.
* </PRE>
* <P>
- *
+ *
* @deprecated
* @version $Revision$, $Date$
*/
-public class SigningAlgorithmConstraints extends APolicyRule
- implements IEnrollmentPolicy, IExtendedPluginInfo {
+public class SigningAlgorithmConstraints extends APolicyRule implements
+ IEnrollmentPolicy, IExtendedPluginInfo {
private String[] mAllowedAlgs = null; // algs allowed by this policy
- static String[] mDefaultAllowedAlgs = null; // default algs allowed by this policy based on CA's key
+ static String[] mDefaultAllowedAlgs = null; // default algs allowed by this
+ // policy based on CA's key
private String[] mConfigAlgs = null; // algs listed in config file
private boolean winnowedByKey = false;
IAuthority mAuthority = null;
@@ -94,17 +94,17 @@ public class SigningAlgorithmConstraints extends APolicyRule
/**
* Initializes this policy rule.
* <P>
- *
+ *
* The entries probably are of the form
- * ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints
- * ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA
- * ra.Policy.rule.<ruleName>.enable=true
- * ra.Policy.rule.<ruleName>.predicate=ou==Sales
- *
- * @param config The config store reference
+ * ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints
+ * ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA
+ * ra.Policy.rule.<ruleName>.enable=true
+ * ra.Policy.rule.<ruleName>.predicate=ou==Sales
+ *
+ * @param config The config store reference
*/
public void init(ISubsystem owner, IConfigStore config)
- throws EBaseException {
+ throws EBaseException {
mAuthority = (IAuthority) ((IPolicyProcessor) owner).getAuthority();
// Get allowed algorithms from config file
@@ -114,10 +114,11 @@ public class SigningAlgorithmConstraints extends APolicyRule
try {
algNames = config.getString(PROP_ALGORITHMS, null);
} catch (Exception e) {
- String[] params = {getInstanceName(), e.toString(), PROP_ALGORITHMS};
+ String[] params = { getInstanceName(), e.toString(),
+ PROP_ALGORITHMS };
- throw new EPolicyException(
- CMS.getUserMessage("CMS_POLICY_PARAM_CONFIG_ERROR", params));
+ throw new EPolicyException(CMS.getUserMessage(
+ "CMS_POLICY_PARAM_CONFIG_ERROR", params));
}
if (algNames != null) {
@@ -136,7 +137,7 @@ public class SigningAlgorithmConstraints extends APolicyRule
for (int i = 0; i < itemCount; i++) {
mAllowedAlgs[i] = (String) algs.elementAt(i);
}
-
+
}
}
@@ -149,8 +150,8 @@ public class SigningAlgorithmConstraints extends APolicyRule
if (mAllowedAlgs != null) {
// winnow out unknown algorithms
- winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS,
- "CMS_POLICY_UNKNOWN_SIGNING_ALG", true);
+ winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS,
+ "CMS_POLICY_UNKNOWN_SIGNING_ALG", true);
} else {
// if nothing was in the config file, allow all known algs
mAllowedAlgs = AlgorithmId.ALL_SIGNING_ALGORITHMS;
@@ -160,8 +161,8 @@ public class SigningAlgorithmConstraints extends APolicyRule
winnowByKey();
if (mAllowedAlgs.length == 0) {
- throw new EPolicyException(
- CMS.getUserMessage("CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY", NAME));
+ throw new EPolicyException(CMS.getUserMessage(
+ "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY", NAME));
}
}
@@ -182,20 +183,20 @@ public class SigningAlgorithmConstraints extends APolicyRule
}
// get list of algorithms allowed for the key
- String[] allowedByKey =
- ((ICertAuthority) mAuthority).getCASigningAlgorithms();
+ String[] allowedByKey = ((ICertAuthority) mAuthority)
+ .getCASigningAlgorithms();
if (allowedByKey != null) {
- // don't show algorithms that don't match CA's key in UI.
+ // don't show algorithms that don't match CA's key in UI.
mDefaultAllowedAlgs = new String[allowedByKey.length];
for (int i = 0; i < allowedByKey.length; i++)
mDefaultAllowedAlgs[i] = allowedByKey[i];
- // winnow out algorithms that don't match CA's signing key
- winnowAlgs(allowedByKey,
- "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1", false);
+ // winnow out algorithms that don't match CA's signing key
+ winnowAlgs(allowedByKey, "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1",
+ false);
winnowedByKey = true;
} else {
- // We don't know the CA's signing algorithms. Maybe we're
+ // We don't know the CA's signing algorithms. Maybe we're
// an RA that hasn't talked to the CA yet? Try again later.
}
}
@@ -203,14 +204,15 @@ public class SigningAlgorithmConstraints extends APolicyRule
/**
* Winnows out of mAllowedAlgorithms those algorithms that aren't allowed
* for some reason.
- *
- * @param allowed An array of allowed algorithms. Only algorithms in this
- * list will survive the winnowing process.
- * @param reason A string describing the problem with an algorithm
- * that is not allowed by this list. Must be a predefined string in PolicyResources.
+ *
+ * @param allowed An array of allowed algorithms. Only algorithms in this
+ * list will survive the winnowing process.
+ * @param reason A string describing the problem with an algorithm that is
+ * not allowed by this list. Must be a predefined string in
+ * PolicyResources.
*/
- private void winnowAlgs(String[] allowed, String reason, boolean isError)
- throws EBaseException {
+ private void winnowAlgs(String[] allowed, String reason, boolean isError)
+ throws EBaseException {
int i, j, goodSize;
// validate the currently-allowed algorithms
@@ -225,12 +227,13 @@ public class SigningAlgorithmConstraints extends APolicyRule
}
// if algorithm is not allowed, log a warning
if (j == allowed.length) {
- EPolicyException e = new EPolicyException(CMS.getUserMessage(reason, NAME, mAllowedAlgs[i]));
+ EPolicyException e = new EPolicyException(CMS.getUserMessage(
+ reason, NAME, mAllowedAlgs[i]));
if (isError) {
log(ILogger.LL_FAILURE, e.toString());
- throw new EPolicyException(CMS.getUserMessage(reason,
- NAME, mAllowedAlgs[i]));
+ throw new EPolicyException(CMS.getUserMessage(reason, NAME,
+ mAllowedAlgs[i]));
} else {
log(ILogger.LL_WARN, e.toString());
}
@@ -240,7 +243,7 @@ public class SigningAlgorithmConstraints extends APolicyRule
// convert back into an array
goodSize = goodAlgs.size();
if (mAllowedAlgs.length != goodSize) {
- mAllowedAlgs = new String[ goodSize ];
+ mAllowedAlgs = new String[goodSize];
for (i = 0; i < goodSize; i++) {
mAllowedAlgs[i] = (String) goodAlgs.elementAt(i);
}
@@ -250,8 +253,8 @@ public class SigningAlgorithmConstraints extends APolicyRule
/**
* Applies the policy on the given Request.
* <P>
- *
- * @param req The request on which to apply policy.
+ *
+ * @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
@@ -262,9 +265,10 @@ public class SigningAlgorithmConstraints extends APolicyRule
try {
// Get the certificate info from the request
- //X509CertInfo certInfo[] = (X509CertInfo[])
- // req.get(IRequest.CERT_INFO);
- X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ // X509CertInfo certInfo[] = (X509CertInfo[])
+ // req.get(IRequest.CERT_INFO);
+ X509CertInfo certInfo[] = req
+ .getExtDataInCertInfoArray(IRequest.CERT_INFO);
// We need to have a certificate info set
if (certInfo == null) {
@@ -281,11 +285,11 @@ public class SigningAlgorithmConstraints extends APolicyRule
winnowByKey();
}
- CertificateAlgorithmId certAlgId = (CertificateAlgorithmId)
- certInfo[i].get(X509CertInfo.ALGORITHM_ID);
+ CertificateAlgorithmId certAlgId = (CertificateAlgorithmId) certInfo[i]
+ .get(X509CertInfo.ALGORITHM_ID);
- AlgorithmId algId = (AlgorithmId)
- certAlgId.get(CertificateAlgorithmId.ALGORITHM);
+ AlgorithmId algId = (AlgorithmId) certAlgId
+ .get(CertificateAlgorithmId.ALGORITHM);
String alg = algId.getName();
// test against the list of allowed algorithms
@@ -297,26 +301,28 @@ public class SigningAlgorithmConstraints extends APolicyRule
if (j == mAllowedAlgs.length) {
// if the algor doesn't match the CA's key replace
// it with one that does.
- if (mAllowedAlgs[0].equals("SHA1withDSA") ||
- alg.equals("SHA1withDSA")) {
- certInfo[i].set(X509CertInfo.ALGORITHM_ID,
- new CertificateAlgorithmId(
- AlgorithmId.get(mAllowedAlgs[0])));
+ if (mAllowedAlgs[0].equals("SHA1withDSA")
+ || alg.equals("SHA1withDSA")) {
+ certInfo[i].set(
+ X509CertInfo.ALGORITHM_ID,
+ new CertificateAlgorithmId(AlgorithmId
+ .get(mAllowedAlgs[0])));
return PolicyResult.ACCEPTED;
}
// didn't find a match, alg not allowed
- setError(req, CMS.getUserMessage("CMS_POLICY_SIGNING_ALG_VIOLATION",
+ setError(req, CMS.getUserMessage(
+ "CMS_POLICY_SIGNING_ALG_VIOLATION",
getInstanceName(), alg), "");
result = PolicyResult.REJECTED;
}
}
} catch (Exception e) {
// e.printStackTrace();
- String params[] = {getInstanceName(), e.toString()};
+ String params[] = { getInstanceName(), e.toString() };
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
- params), "");
+ setError(req, CMS.getUserMessage(
+ "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
result = PolicyResult.REJECTED;
}
return result;
@@ -324,10 +330,10 @@ public class SigningAlgorithmConstraints extends APolicyRule
/**
* Return configured parameters for a policy rule instance.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector getInstanceParams() {
+ public Vector getInstanceParams() {
Vector confParams = new Vector();
StringBuffer sb = new StringBuffer();
@@ -343,10 +349,10 @@ public class SigningAlgorithmConstraints extends APolicyRule
/**
* Return default parameters for a policy implementation.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector getDefaultParams() {
+ public Vector getDefaultParams() {
StringBuffer sb = new StringBuffer();
sb.append(PROP_ALGORITHMS);
sb.append("=");
@@ -365,67 +371,73 @@ public class SigningAlgorithmConstraints extends APolicyRule
}
defConfParams.addElement(sb.toString());
- return defConfParams;
+ return defConfParams;
}
public String[] getExtendedPluginInfo(Locale locale) {
if (!winnowedByKey) {
- try {
- winnowByKey();
- } catch (Exception e) {
+ try {
+ winnowByKey();
+ } catch (Exception e) {
}
}
String[] params = null;
String[] params_BOTH = {
- PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA," +
- "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA,"+
- "MD2withRSA\\,MD5withRSA\\,SHA1withRSA," +
- "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA," +
- "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," +
- "MD2withRSA\\,MD5withRSA\\,SHA1withDSA," +
- "MD2withRSA\\,MD5withRSA," +
- "MD2withRSA\\,SHA1withRSA," +
- "MD2withRSA\\,SHA1withDSA," +
- "MD5withRSA\\,SHA1withRSA," +
- "MD5withRSA\\,SHA1withDSA," +
- "SHA1withRSA\\,SHA1withDSA," +
- "MD2withRSA," +
- "MD5withRSA," +
- "SHA1withRSA," +
- "SHA1withDSA);List of algorithms to restrict the requested signing algorithm " +
- "to be one of the algorithms supported by Certificate System",
- IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints",
- IExtendedPluginInfo.HELP_TEXT +
- ";Restricts the requested signing algorithm to be one of" +
- " the algorithms supported by Certificate System"
- };
+ PROP_ALGORITHMS
+ + ";"
+ + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA,"
+ + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA,"
+ + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA,"
+ + "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA,"
+ + "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA,"
+ + "MD2withRSA\\,MD5withRSA\\,SHA1withDSA,"
+ + "MD2withRSA\\,MD5withRSA,"
+ + "MD2withRSA\\,SHA1withRSA,"
+ + "MD2withRSA\\,SHA1withDSA,"
+ + "MD5withRSA\\,SHA1withRSA,"
+ + "MD5withRSA\\,SHA1withDSA,"
+ + "SHA1withRSA\\,SHA1withDSA,"
+ + "MD2withRSA,"
+ + "MD5withRSA,"
+ + "SHA1withRSA,"
+ + "SHA1withDSA);List of algorithms to restrict the requested signing algorithm "
+ + "to be one of the algorithms supported by Certificate System",
+ IExtendedPluginInfo.HELP_TOKEN
+ + ";configuration-policyrules-signingalgconstraints",
+ IExtendedPluginInfo.HELP_TEXT
+ + ";Restricts the requested signing algorithm to be one of"
+ + " the algorithms supported by Certificate System" };
String[] params_RSA = {
- PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA," +
- "MD2withRSA\\,MD5withRSA," +
- "MD2withRSA\\,SHA1withRSA," +
- "MD5withRSA\\,SHA1withRSA," +
- "MD2withRSA," +
- "MD5withRSA," +
- "SHA1withRSA);Restrict the requested signing algorithm to be " +
- "one of the algorithms supported by Certificate System",
- IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints",
- IExtendedPluginInfo.HELP_TEXT +
- ";Restricts the requested signing algorithm to be one of" +
- " the algorithms supported by Certificate System"
- };
+ PROP_ALGORITHMS
+ + ";"
+ + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA,"
+ + "MD2withRSA\\,MD5withRSA,"
+ + "MD2withRSA\\,SHA1withRSA,"
+ + "MD5withRSA\\,SHA1withRSA,"
+ + "MD2withRSA,"
+ + "MD5withRSA,"
+ + "SHA1withRSA);Restrict the requested signing algorithm to be "
+ + "one of the algorithms supported by Certificate System",
+ IExtendedPluginInfo.HELP_TOKEN
+ + ";configuration-policyrules-signingalgconstraints",
+ IExtendedPluginInfo.HELP_TEXT
+ + ";Restricts the requested signing algorithm to be one of"
+ + " the algorithms supported by Certificate System" };
String[] params_DSA = {
- PROP_ALGORITHMS + ";" + "choice(SHA1withDSA);Restrict the requested signing " +
- "algorithm to be one of the algorithms supported by Certificate " +
- "System",
- IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints",
- IExtendedPluginInfo.HELP_TEXT +
- ";Restricts the requested signing algorithm to be one of" +
- " the algorithms supported by Certificate System"
- };
+ PROP_ALGORITHMS
+ + ";"
+ + "choice(SHA1withDSA);Restrict the requested signing "
+ + "algorithm to be one of the algorithms supported by Certificate "
+ + "System",
+ IExtendedPluginInfo.HELP_TOKEN
+ + ";configuration-policyrules-signingalgconstraints",
+ IExtendedPluginInfo.HELP_TEXT
+ + ";Restricts the requested signing algorithm to be one of"
+ + " the algorithms supported by Certificate System" };
switch (mDefaultAllowedAlgs.length) {
case 1:
@@ -447,4 +459,3 @@ public class SigningAlgorithmConstraints extends APolicyRule
}
}
-
generated by cgit (git 2.34.1) at 2024-05-05 10:48:32 +0000