diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints')
16 files changed, 1015 insertions, 1051 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java b/pki/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java index 39c5cc51..2a98f12f 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/AgentPolicy.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Vector; import com.netscape.certsrv.apps.CMS; @@ -29,22 +30,24 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * AgentPolicy is an enrollment policy wraps another policy module. Requests are - * sent first to the contained module, but if the policy indicates that the - * request should be deferred, a check for agent approvals is done. If any are - * found, the request is approved. + * AgentPolicy is an enrollment policy wraps another policy module. + * Requests are sent first to the contained module, but if the + * policy indicates that the request should be deferred, a check + * for agent approvals is done. If any are found, the request + * is approved. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class AgentPolicy extends APolicyRule implements IEnrollmentPolicy { +public class AgentPolicy extends APolicyRule + implements IEnrollmentPolicy { public AgentPolicy() { NAME = "AgentPolicy"; DESC = "Agent Approval Policy"; @@ -53,19 +56,19 @@ public class AgentPolicy extends APolicyRule implements IEnrollmentPolicy { /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=AgentPolicy - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == - * netscape.com ra.Policy.rule.<ruleName>.class=xxxx - * ra.Policy.rule.<ruleName>.params.* - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=AgentPolicy + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com + * ra.Policy.rule.<ruleName>.class=xxxx + * ra.Policy.rule.<ruleName>.params.* + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Create subordinate object String className = (String) config.get("class"); @@ -80,9 +83,9 @@ public class AgentPolicy extends APolicyRule implements IEnrollmentPolicy { Object o = c.newInstance(); if (!(o instanceof APolicyRule)) { - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_CLASS", - getInstanceName(), className)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CLASS", + getInstanceName(), className)); } APolicyRule pr = (APolicyRule) o; @@ -94,9 +97,9 @@ public class AgentPolicy extends APolicyRule implements IEnrollmentPolicy { throw e; } catch (Exception e) { System.err.println("Agent Policy Error: " + e); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_LOADING_POLICY_ERROR", getInstanceName(), - className)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_LOADING_POLICY_ERROR", + getInstanceName(), className)); } } } @@ -104,8 +107,8 @@ public class AgentPolicy extends APolicyRule implements IEnrollmentPolicy { /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -122,13 +125,13 @@ public class AgentPolicy extends APolicyRule implements IEnrollmentPolicy { if (result == PolicyResult.DEFERRED) { System.err.println("Checking agent approvals"); // Try to find an agent approval - AgentApprovals aa = AgentApprovals.fromStringVector(req - .getExtDataInStringVector(AgentApprovals.class.getName())); + AgentApprovals aa = AgentApprovals.fromStringVector( + req.getExtDataInStringVector(AgentApprovals.class.getName())); - // Object o = req.get("agentApprovals"); + //Object o = req.get("agentApprovals"); // Any approvals causes success - if (aa != null && aa.elements().hasMoreElements()) // if (o != null) + if (aa != null && aa.elements().hasMoreElements()) //if (o != null) { System.err.println("Agent approval found"); result = PolicyResult.ACCEPTED; @@ -140,7 +143,7 @@ public class AgentPolicy extends APolicyRule implements IEnrollmentPolicy { /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { @@ -149,12 +152,13 @@ public class AgentPolicy extends APolicyRule implements IEnrollmentPolicy { /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return null; } - APolicyRule mPolicy = null; + APolicyRule mPolicy = null; } + diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java index 4b929148..6438dc4a 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Enumeration; import java.util.Hashtable; import java.util.Locale; @@ -43,20 +44,20 @@ import com.netscape.certsrv.request.PolicyResult; import com.netscape.certsrv.request.RequestId; import com.netscape.cms.policy.APolicyRule; + /** * This checks if attribute present. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class AttributePresentConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class AttributePresentConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_ENABLED = "enabled"; protected static final String PROP_LDAP = "ldap"; @@ -75,59 +76,50 @@ public class AttributePresentConstraints extends APolicyRule implements private LDAPConnection mCheckAttrLdapConnection = null; public AttributePresentConstraints() { - DESC = "Rejects request if ldap attribute is not present in the " - + "directory."; + DESC = "Rejects request if ldap attribute is not present in the " + + "directory."; } public String[] getExtendedPluginInfo(Locale locale) { String params[] = { - PROP_ATTR - + ";string,required;Ldap attribute to check presence of (default " - + DEF_ATTR + ")", - PROP_VALUE - + ";string;if this parameter is non-empty, the attribute must " - + "match this value for the request to proceed ", - PROP_LDAP_BASE - + ";string,required;Base DN to start searching " - + "under. If your user's DN is 'uid=jsmith, o=company', you " - + "might want to use 'o=company' here", - PROP_LDAP_HOST + ";string,required;" - + "LDAP host to connect to", - PROP_LDAP_PORT + ";number,required;" - + "LDAP port number (use 389, or 636 if SSL)", - PROP_LDAP_SSL + ";boolean;" - + "Use SSL to connect to directory?", - PROP_LDAP_VER + ";choice(3,2),required;" - + "LDAP protocol version", - PROP_LDAP_BIND - + ";string;DN to bind as for attribute checking. " - + "For example 'CN=Pincheck User'", - PROP_LDAP_PW + ";password;Enter password used to bind as " - + "the above user", - PROP_LDAP_AUTH + ";choice(BasicAuth,SslClientAuth),required;" - + "How to bind to the directory", - PROP_LDAP_CERT + ";string;If you want to use " - + "SSL client auth to the directory, set the client " - + "cert nickname here", - PROP_LDAP_BASE - + ";string,required;Base DN to start searching " - + "under. If your user's DN is 'uid=jsmith, o=company', you " - + "might want to use 'o=company' here", - PROP_LDAP_MINC + ";number;number of connections " - + "to keep open to directory server. Default " - + DEF_LDAP_MINC, - PROP_LDAP_MAXC - + ";number;when needed, connection " - + "pool can grow to this many (multiplexed) connections. Default " - + DEF_LDAP_MAXC, - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-pinpresent", - IExtendedPluginInfo.HELP_TEXT - + ";" - + DESC - + " This plugin can be used to " - + "check the presence (and, optionally, the value) of any LDAP " - + "attribute for the user. " }; + PROP_ATTR + ";string,required;Ldap attribute to check presence of (default " + + DEF_ATTR + ")", + PROP_VALUE + ";string;if this parameter is non-empty, the attribute must " + + "match this value for the request to proceed ", + PROP_LDAP_BASE + ";string,required;Base DN to start searching " + + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here", + PROP_LDAP_HOST + ";string,required;" + + "LDAP host to connect to", + PROP_LDAP_PORT + ";number,required;" + + "LDAP port number (use 389, or 636 if SSL)", + PROP_LDAP_SSL + ";boolean;" + + "Use SSL to connect to directory?", + PROP_LDAP_VER + ";choice(3,2),required;" + + "LDAP protocol version", + PROP_LDAP_BIND + ";string;DN to bind as for attribute checking. " + + "For example 'CN=Pincheck User'", + PROP_LDAP_PW + ";password;Enter password used to bind as " + + "the above user", + PROP_LDAP_AUTH + ";choice(BasicAuth,SslClientAuth),required;" + + "How to bind to the directory", + PROP_LDAP_CERT + ";string;If you want to use " + + "SSL client auth to the directory, set the client " + + "cert nickname here", + PROP_LDAP_BASE + ";string,required;Base DN to start searching " + + "under. If your user's DN is 'uid=jsmith, o=company', you " + + "might want to use 'o=company' here", + PROP_LDAP_MINC + ";number;number of connections " + + "to keep open to directory server. Default " + DEF_LDAP_MINC, + PROP_LDAP_MAXC + ";number;when needed, connection " + + "pool can grow to this many (multiplexed) connections. Default " + DEF_LDAP_MAXC, + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-pinpresent", + IExtendedPluginInfo.HELP_TEXT + + ";" + DESC + " This plugin can be used to " + + "check the presence (and, optionally, the value) of any LDAP " + + "attribute for the user. " + }; return params; } @@ -188,9 +180,9 @@ public class AttributePresentConstraints extends APolicyRule implements protected static final String PROP_VALUE = "value"; protected static final String DEF_VALUE = ""; - protected static Vector mParamNames; + protected static Vector mParamNames; protected static Hashtable mParamDefault; - protected Hashtable mParamValue = null; + protected Hashtable mParamValue = null; static { mParamNames = new Vector(); @@ -209,7 +201,7 @@ public class AttributePresentConstraints extends APolicyRule implements addParam(PROP_ATTR, DEF_ATTR); addParam(PROP_VALUE, DEF_VALUE); }; - + protected static void addParam(String name, Object value) { mParamNames.addElement(name); mParamDefault.put(name, value); @@ -218,33 +210,40 @@ public class AttributePresentConstraints extends APolicyRule implements protected void getStringConfigParam(IConfigStore config, String paramName) { try { mParamValue.put( - paramName, - config.getString(paramName, - (String) mParamDefault.get(paramName))); + paramName, config.getString(paramName, (String) mParamDefault.get(paramName)) + ); } catch (Exception e) { } } protected void getIntConfigParam(IConfigStore config, String paramName) { try { - mParamValue.put(paramName, Integer.valueOf(config.getInteger( - paramName, - ((Integer) mParamDefault.get(paramName)).intValue()))); + mParamValue.put( + paramName, Integer.valueOf( + config.getInteger(paramName, + ((Integer) mParamDefault.get(paramName)).intValue() + ) + ) + ); } catch (Exception e) { } } protected void getBooleanConfigParam(IConfigStore config, String paramName) { try { - mParamValue.put(paramName, Boolean.valueOf(config.getBoolean( - paramName, - ((Boolean) mParamDefault.get(paramName)).booleanValue()))); + mParamValue.put( + paramName, Boolean.valueOf( + config.getBoolean(paramName, + ((Boolean) mParamDefault.get(paramName)).booleanValue() + ) + ) + ); } catch (Exception e) { } } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; mParamValue = new Hashtable(); @@ -278,16 +277,14 @@ public class AttributePresentConstraints extends APolicyRule implements String requestType = r.getRequestType(); - if (requestType.equals(IRequest.ENROLLMENT_REQUEST) - || requestType.equals(IRequest.RENEWAL_REQUEST)) { + if (requestType.equals(IRequest.ENROLLMENT_REQUEST) || + requestType.equals(IRequest.RENEWAL_REQUEST)) { String uid = r.getExtDataInString(IRequest.HTTP_PARAMS, "uid"); if (uid == null) { - log(ILogger.LL_INFO, "did not find UID parameter in request " - + r.getRequestId()); - setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), - ""); + log(ILogger.LL_INFO, "did not find UID parameter in request " + r.getRequestId()); + setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), ""); return PolicyResult.REJECTED; } @@ -295,34 +292,26 @@ public class AttributePresentConstraints extends APolicyRule implements try { String[] attrs = { (String) mParamValue.get(PROP_ATTR) }; - LDAPSearchResults searchResult = mCheckAttrLdapConnection - .search((String) mParamValue.get(PROP_LDAP_BASE), - LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", attrs, - false); - + LDAPSearchResults searchResult = + mCheckAttrLdapConnection.search((String) mParamValue.get(PROP_LDAP_BASE), + LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", attrs, false); + if (!searchResult.hasMoreElements()) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); - setError(r, - CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), - ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid)); + setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), ""); return PolicyResult.REJECTED; } LDAPEntry entry = (LDAPEntry) searchResult.nextElement(); userdn = entry.getDN(); - - LDAPAttribute attr = entry.getAttribute((String) mParamValue - .get(PROP_ATTR)); + + LDAPAttribute attr = entry.getAttribute((String) mParamValue.get(PROP_ATTR)); /* if attribute not present, reject the request */ if (attr == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn)); - setError(r, - CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), - ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn)); + setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), ""); return PolicyResult.REJECTED; } String acceptedValue = ((String) mParamValue.get(PROP_VALUE)); @@ -338,24 +327,17 @@ public class AttributePresentConstraints extends APolicyRule implements } } if (matches == 0) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMS_AUTH_NO_PIN_FOUND", userdn)); - setError( - r, - CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), - ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn)); + setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), ""); return PolicyResult.REJECTED; } } - - CMS.debug("AttributePresentConstraints: Attribute is present for user: \"" - + userdn + "\""); + + CMS.debug("AttributePresentConstraints: Attribute is present for user: \"" + userdn + "\""); } catch (LDAPException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_PIN_UNAUTHORIZED")); - setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), - ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_PIN_UNAUTHORIZED")); + setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), ""); return PolicyResult.REJECTED; } @@ -401,26 +383,25 @@ public class AttributePresentConstraints extends APolicyRule implements return params; /* - * params.addElement("ldap.ldapconn.host=localhost"); - * params.addElement("ldap.ldapconn.port=389"); - * params.addElement("ldap.ldapconn.secureConn=false"); - * params.addElement("ldap.ldapconn.version=3"); - * params.addElement("ldap.ldapauth.bindDN=CN=Directory Manager"); - * params.addElement("ldap.ldapauth.bindPWPrompt="); - * params.addElement("ldap.ldapauth.clientCertNickname="); - * params.addElement("ldap.ldapauth.authtype=BasicAuth"); - * params.addElement("ldap.basedn="); - * params.addElement("ldap.minConns=1"); - * params.addElement("ldap.maxConns=5"); + params.addElement("ldap.ldapconn.host=localhost"); + params.addElement("ldap.ldapconn.port=389"); + params.addElement("ldap.ldapconn.secureConn=false"); + params.addElement("ldap.ldapconn.version=3"); + params.addElement("ldap.ldapauth.bindDN=CN=Directory Manager"); + params.addElement("ldap.ldapauth.bindPWPrompt="); + params.addElement("ldap.ldapauth.clientCertNickname="); + params.addElement("ldap.ldapauth.authtype=BasicAuth"); + params.addElement("ldap.basedn="); + params.addElement("ldap.minConns=1"); + params.addElement("ldap.maxConns=5"); */ } protected void log(int level, String msg) { - if (mLogger == null) - return; + if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER, level, - "AttributePresentConstraints: " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER, + level, "AttributePresentConstraints: " + msg); } } diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java index 075f7a1f..3caee615 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/DSAKeyConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.math.BigInteger; import java.security.interfaces.DSAParams; import java.util.Locale; @@ -39,20 +40,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * DSAKeyConstraints policy enforces min and max size of the key. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class DSAKeyConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class DSAKeyConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { private int mMinSize; private int mMaxSize; @@ -72,7 +73,7 @@ public class DSAKeyConstraints extends APolicyRule implements defConfParams.addElement(PROP_MIN_SIZE + "=" + DEF_MIN_SIZE); defConfParams.addElement(PROP_MAX_SIZE + "=" + DEF_MAX_SIZE); } - + public DSAKeyConstraints() { NAME = "DSAKeyConstraints"; DESC = "Enforces DSA Key Constraints."; @@ -82,10 +83,11 @@ public class DSAKeyConstraints extends APolicyRule implements String[] params = { PROP_MIN_SIZE + ";number;Minimum key size", PROP_MAX_SIZE + ";number;Maximum key size", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-dsakeyconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Rejects request if DSA key size is out of range" }; + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-dsakeyconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Rejects request if DSA key size is out of range" + }; return params; } @@ -93,19 +95,18 @@ public class DSAKeyConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form - * ra.Policy.rule.<ruleName>.implName=DSAKeyConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minSize=512 - * ra.Policy.rule.<ruleName>.maxSize=1024 - * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == - * netscape.com - * - * @param config The config store reference + * ra.Policy.rule.<ruleName>.implName=DSAKeyConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.minSize=512 + * ra.Policy.rule.<ruleName>.maxSize=1024 + * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get Min and Max sizes mConfig = config; @@ -118,46 +119,49 @@ public class DSAKeyConstraints extends APolicyRule implements String msg = "cannot be more than " + DEF_MAX_SIZE; log(ILogger.LL_FAILURE, PROP_MAX_SIZE + " " + msg); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", PROP_MAX_SIZE, msg)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_MAX_SIZE, msg)); } if (mMinSize < DEF_MIN_SIZE) { String msg = "cannot be less than " + DEF_MIN_SIZE; log(ILogger.LL_FAILURE, PROP_MIN_SIZE + " " + msg); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", PROP_MIN_SIZE, msg)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_MIN_SIZE, msg)); } if (mMaxSize % INCREMENT != 0) { String msg = "must be in increments of " + INCREMENT; log(ILogger.LL_FAILURE, PROP_MAX_SIZE + " " + msg); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", PROP_MIN_SIZE, msg)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_MIN_SIZE, msg)); } if (mMaxSize % INCREMENT != 0) { String msg = "must be in increments of " + INCREMENT; log(ILogger.LL_FAILURE, PROP_MIN_SIZE + " " + msg); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", PROP_MIN_SIZE, msg)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_MIN_SIZE, msg)); } - + config.putInteger(PROP_MIN_SIZE, mMinSize); config.putInteger(PROP_MAX_SIZE, mMaxSize); } catch (Exception e) { - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_CONFIG", getInstanceName(), - e.toString())); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", getInstanceName(), e.toString())); } } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -166,60 +170,59 @@ public class DSAKeyConstraints extends APolicyRule implements try { // Get the certificate info from the request - X509CertInfo ci[] = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo ci[] = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // There should be a certificate info set. if (ci == null || ci[0] == null) { - setError(req, - CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); return PolicyResult.REJECTED; } // Else check if the key size(s) are within the limit. for (int i = 0; i < ci.length; i++) { - CertificateX509Key certKey = (CertificateX509Key) ci[i] - .get(X509CertInfo.KEY); + CertificateX509Key certKey = (CertificateX509Key) + ci[i].get(X509CertInfo.KEY); X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY); String alg = key.getAlgorithmId().toString(); if (!alg.equalsIgnoreCase(DSA)) continue; - // Check DSAKey parameters. - // size refers to the p parameter. + // Check DSAKey parameters. + // size refers to the p parameter. DSAPublicKey dsaKey = new DSAPublicKey(key.getEncoded()); DSAParams keyParams = dsaKey.getParams(); - if (keyParams == null) { + if (keyParams == null) { // key parameters could not be parsed. - Object[] params = new Object[] { getInstanceName(), - String.valueOf(i + 1) }; + Object[] params = new Object[] { + getInstanceName(), String.valueOf(i + 1) }; - setError(req, CMS.getUserMessage( - "CMS_POLICY_NO_KEY_PARAMS", getInstanceName(), - String.valueOf(i + 1)), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_KEY_PARAMS", getInstanceName(), String.valueOf(i + 1)), ""); return PolicyResult.REJECTED; } BigInteger p = keyParams.getP(); int len = p.bitLength(); - if (len < mMinSize || len > mMaxSize || (len % INCREMENT) != 0) { - String[] parms = new String[] { getInstanceName(), - String.valueOf(len), String.valueOf(mMinSize), - String.valueOf(mMaxSize), String.valueOf(INCREMENT) }; + if (len < mMinSize || len > mMaxSize || + (len % INCREMENT) != 0) { + String[] parms = new String[] { + getInstanceName(), + String.valueOf(len), + String.valueOf(mMinSize), + String.valueOf(mMaxSize), + String.valueOf(INCREMENT) }; - setError(req, CMS.getUserMessage( - "CMS_POLICY_KEY_SIZE_VIOLATION_1", parms), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION_1", parms), ""); return PolicyResult.REJECTED; } } } catch (Exception e) { // e.printStackTrace(); - String[] params = { getInstanceName(), e.toString() }; + String[] params = { getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } return result; @@ -227,29 +230,27 @@ public class DSAKeyConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector confParams = new Vector(); try { - confParams.addElement(PROP_MIN_SIZE + "=" - + mConfig.getInteger(PROP_MIN_SIZE, DEF_MIN_SIZE)); - confParams.addElement(PROP_MAX_SIZE + "=" - + mConfig.getInteger(PROP_MAX_SIZE, DEF_MAX_SIZE)); - } catch (EBaseException e) { - ; + confParams.addElement(PROP_MIN_SIZE + "=" + mConfig.getInteger(PROP_MIN_SIZE, DEF_MIN_SIZE)); + confParams.addElement(PROP_MAX_SIZE + "=" + mConfig.getInteger(PROP_MAX_SIZE, DEF_MAX_SIZE)); + } catch (EBaseException e) {; } return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return defConfParams; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java b/pki/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java index e59a2d72..3d4aedc3 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/DefaultRevocation.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Locale; import java.util.Vector; @@ -29,21 +30,22 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * This is the default revocation policy. Currently this does nothing. We can - * later add checks like whether or not to revoke expired certs ..etc here. + * This is the default revocation policy. Currently this does + * nothing. We can later add checks like whether or not to + * revoke expired certs ..etc here. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class DefaultRevocation extends APolicyRule implements - IRevocationPolicy, IExtendedPluginInfo { +public class DefaultRevocation extends APolicyRule + implements IRevocationPolicy, IExtendedPluginInfo { public DefaultRevocation() { NAME = "DefaultRevocation"; DESC = "Default Revocation Policy"; @@ -52,25 +54,24 @@ public class DefaultRevocation extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=DefaultRevocation - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == - * netscape.com - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=DefaultRevocation + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -79,7 +80,7 @@ public class DefaultRevocation extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { @@ -88,7 +89,7 @@ public class DefaultRevocation extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { @@ -96,9 +97,11 @@ public class DefaultRevocation extends APolicyRule implements } public String[] getExtendedPluginInfo(Locale locale) { - String[] params = { IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-defaultrevocation" }; + String[] params = { + IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-defaultrevocation" + }; return params; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java index ccdb1088..aed75bcd 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/IssuerConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Locale; import java.util.Vector; @@ -34,29 +35,29 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * IssuerConstraints is a rule for restricting the issuers of the certificates - * used for certificate-based enrollments. + * IssuerConstraints is a rule for restricting the issuers of the + * certificates used for certificate-based enrollments. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$ $Date$ */ -public class IssuerConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class IssuerConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { private final static String PROP_ISSUER_DN = "issuerDN"; private static final String CLIENT_ISSUER = "clientIssuer"; private X500Name mIssuerDN = null; private String mIssuerDNString; /** - * checks the issuer of the ssl client-auth cert. Only one issuer is allowed - * for now + * checks the issuer of the ssl client-auth cert. Only one issuer + * is allowed for now */ public IssuerConstraints() { NAME = "IssuerConstraints"; @@ -65,13 +66,13 @@ public class IssuerConstraints extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_ISSUER_DN - + ";string;Subject DN of the Issuer. The IssuerDN of the authenticating cert must match what's specified here", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-issuerconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Rejects the request if the issuer in the certificate is" - + "not of the one specified" }; + PROP_ISSUER_DN + ";string;Subject DN of the Issuer. The IssuerDN of the authenticating cert must match what's specified here", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-issuerconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Rejects the request if the issuer in the certificate is" + + "not of the one specified" + }; return params; @@ -80,33 +81,34 @@ public class IssuerConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * - * @param config The config store reference + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { try { mIssuerDNString = config.getString(PROP_ISSUER_DN, null); - if ((mIssuerDNString != null) && !mIssuerDNString.equals("")) { + if ((mIssuerDNString != null) && + !mIssuerDNString.equals("")) { mIssuerDN = new X500Name(mIssuerDNString); } } catch (Exception e) { - log(ILogger.LL_FAILURE, - NAME + CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); + log(ILogger.LL_FAILURE, + NAME + CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); - String[] params = { getInstanceName(), e.toString() }; + String[] params = {getInstanceName(), e.toString()}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_CONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); } - CMS.debug(NAME + ": init() done"); + CMS.debug( + NAME + ": init() done"); } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -122,86 +124,83 @@ public class IssuerConstraints extends APolicyRule implements X500Name ci_name = new X500Name(clientIssuerDN); if (!ci_name.equals(mIssuerDN)) { - setError(req, CMS.getUserMessage( - "CMS_POLICY_INVALID_ISSUER", getInstanceName()), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER", + getInstanceName()), ""); result = PolicyResult.REJECTED; log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); - CMS.debug(NAME - + ": apply() - issuerDN mismatch: client issuerDN = " - + clientIssuerDN + "; expected issuerDN = " - + mIssuerDNString); + CMS.getLogMessage("CA_GET_ISSUER_NAME_FAILED")); + CMS.debug( + NAME + ": apply() - issuerDN mismatch: client issuerDN = " + clientIssuerDN + "; expected issuerDN = " + mIssuerDNString); } } else { // Get the certificate info from the request - X509CertInfo certInfo[] = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo[] = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (certInfo == null) { - log(ILogger.LL_FAILURE, NAME - + ": apply() - missing certInfo"); - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + log(ILogger.LL_FAILURE, + NAME + ": apply() - missing certInfo"); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", getInstanceName()), ""); return PolicyResult.REJECTED; } - + for (int i = 0; i < certInfo.length; i++) { - String oldIssuer = (String) certInfo[i].get( - X509CertInfo.ISSUER).toString(); - + String oldIssuer = (String) + certInfo[i].get(X509CertInfo.ISSUER).toString(); + if (oldIssuer == null) { - setError(req, CMS.getUserMessage( - "CMS_POLICY_CLIENT_ISSUER_NOT_FOUND", + setError(req, + CMS.getUserMessage("CMS_POLICY_CLIENT_ISSUER_NOT_FOUND", getInstanceName()), ""); result = PolicyResult.REJECTED; - log(ILogger.LL_FAILURE, NAME - + ": apply() - client issuerDN not found"); + log(ILogger.LL_FAILURE, + NAME + ": apply() - client issuerDN not found"); } X500Name oi_name = new X500Name(oldIssuer); if (!oi_name.equals(mIssuerDN)) { setError(req, - CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER", - getInstanceName()), ""); + CMS.getUserMessage("CMS_POLICY_INVALID_ISSUER", + getInstanceName()), ""); result = PolicyResult.REJECTED; - log(ILogger.LL_FAILURE, - NAME - + ": apply() - cert issuerDN mismatch: client issuerDN = " - + oldIssuer + "; expected issuerDN = " - + mIssuerDNString); + log(ILogger.LL_FAILURE, + NAME + ": apply() - cert issuerDN mismatch: client issuerDN = " + oldIssuer + "; expected issuerDN = " + mIssuerDNString); } } } } catch (Exception e) { - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } if (result.equals(PolicyResult.ACCEPTED)) { - log(ILogger.LL_INFO, NAME + ": apply() - accepted"); + log(ILogger.LL_INFO, + NAME + ": apply() - accepted"); } return result; } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement(PROP_ISSUER_DN + "=" + mIssuerDNString); + confParams.addElement(PROP_ISSUER_DN + "=" + + mIssuerDNString); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java index e17897f9..8286cf31 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/KeyAlgorithmConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Enumeration; import java.util.Locale; import java.util.StringTokenizer; @@ -36,41 +37,44 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * KeyAlgorithmConstraints enforces a constraint that the RA or a CA honor only - * the keys generated using one of the permitted algorithms such as RSA, DSA or - * DH. + * KeyAlgorithmConstraints enforces a constraint that the RA or a CA + * honor only the keys generated using one of the permitted algorithms + * such as RSA, DSA or DH. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class KeyAlgorithmConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class KeyAlgorithmConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { private Vector mAlgorithms; private final static String DEF_KEY_ALGORITHM = "RSA,DSA"; private final static String PROP_ALGORITHMS = "algorithms"; - private final static String[] supportedAlgorithms = { "RSA", "DSA", "DH" }; + private final static String[] supportedAlgorithms = + {"RSA", "DSA", "DH" }; private final static Vector defConfParams = new Vector(); static { - defConfParams.addElement(PROP_ALGORITHMS + "=" + DEF_KEY_ALGORITHM); + defConfParams.addElement(PROP_ALGORITHMS + "=" + + DEF_KEY_ALGORITHM); } public String[] getExtendedPluginInfo(Locale locale) { String params[] = { "algorithms;choice(RSA\\,DSA,RSA,DSA);Certificate's key can be one of these algorithms", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-keyalgorithmconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Rejects the request if the key in the certificate is " - + "not of the type specified" }; + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-keyalgorithmconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Rejects the request if the key in the certificate is " + + "not of the type specified" + }; return params; } @@ -83,17 +87,17 @@ public class KeyAlgorithmConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form - * ra.Policy.rule.<ruleName>.implName=KeyAlgorithmConstraints - * ra.Policy.rule.<ruleName>.algorithms=RSA,DSA - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * ra.Policy.rule.<ruleName>.implName=KeyAlgorithmConstraints + * ra.Policy.rule.<ruleName>.algorithms=RSA,DSA + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { mAlgorithms = new Vector(); @@ -108,10 +112,10 @@ public class KeyAlgorithmConstraints extends APolicyRule implements try { algNames = config.getString(PROP_ALGORITHMS, null); } catch (Exception e) { - String[] params = { getInstanceName(), e.toString() }; + String[] params = {getInstanceName(), e.toString()}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_CONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); } if (algNames == null) { @@ -129,10 +133,11 @@ public class KeyAlgorithmConstraints extends APolicyRule implements } // Check if configured algorithms are supported. - for (Enumeration e = mAlgorithms.elements(); e.hasMoreElements();) { + for (Enumeration e = mAlgorithms.elements(); + e.hasMoreElements();) { int i; String configuredAlg = (String) e.nextElement(); - + // See if it is a supported algorithm. for (i = 0; i < supportedAlgorithms.length; i++) { if (configuredAlg.equals(supportedAlgorithms[i])) @@ -141,17 +146,17 @@ public class KeyAlgorithmConstraints extends APolicyRule implements // Did we not find it? if (i == supportedAlgorithms.length) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_UNSUPPORTED_KEY_ALG", getInstanceName(), - configuredAlg)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_UNSUPPORTED_KEY_ALG", + getInstanceName(), configuredAlg)); } } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -161,9 +166,8 @@ public class KeyAlgorithmConstraints extends APolicyRule implements try { // Get the certificate info from the request // X509CertInfo certInfo[] = (X509CertInfo[]) - // req.get(IRequest.CERT_INFO); - X509CertInfo certInfo[] = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); + // req.get(IRequest.CERT_INFO); + X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // We need to have a certificate info set if (certInfo == null) { @@ -174,23 +178,22 @@ public class KeyAlgorithmConstraints extends APolicyRule implements // Else check if the key algorithm is supported. for (int i = 0; i < certInfo.length; i++) { - CertificateX509Key certKey = (CertificateX509Key) certInfo[i] - .get(X509CertInfo.KEY); + CertificateX509Key certKey = (CertificateX509Key) + certInfo[i].get(X509CertInfo.KEY); X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY); String alg = key.getAlgorithmId().getName().toUpperCase(); if (!mAlgorithms.contains(alg)) { - setError(req, CMS.getUserMessage( - "CMS_POLICY_KEY_ALG_VIOLATION", getInstanceName(), - alg), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_KEY_ALG_VIOLATION", + getInstanceName(), alg), ""); result = PolicyResult.REJECTED; } } } catch (Exception e) { - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + params), ""); result = PolicyResult.REJECTED; } return result; @@ -198,10 +201,10 @@ public class KeyAlgorithmConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector v = new Vector(); StringBuffer sb = new StringBuffer(); @@ -214,13 +217,14 @@ public class KeyAlgorithmConstraints extends APolicyRule implements v.addElement(PROP_ALGORITHMS + "=" + sb.toString()); return v; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return defConfParams; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java b/pki/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java index 1df31a34..a2bf9437 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/ManualAuthentication.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Vector; import com.netscape.certsrv.authentication.IAuthToken; @@ -28,22 +29,23 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * ManualAuthentication is an enrollment policy that queues all requests for - * issuing agent's approval if no authentication is present. The policy rejects - * a request if any of the auth tokens indicates authentication failure. + * ManualAuthentication is an enrollment policy that queues + * all requests for issuing agent's approval if no authentication + * is present. The policy rejects a request if any of the auth tokens + * indicates authentication failure. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class ManualAuthentication extends APolicyRule implements - IEnrollmentPolicy { +public class ManualAuthentication extends APolicyRule + implements IEnrollmentPolicy { public ManualAuthentication() { NAME = "ManualAuthentication"; DESC = "Manual Authentication Policy"; @@ -52,31 +54,30 @@ public class ManualAuthentication extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=ManualAuthentication - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == - * netscape.com - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ManualAuthentication + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.predicate= ou == engineering AND o == netscape.com + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { IAuthToken authToken = req.getExtDataInAuthToken(IRequest.AUTH_TOKEN); - if (authToken == null) + if (authToken == null) return deferred(req); return PolicyResult.ACCEPTED; @@ -84,7 +85,7 @@ public class ManualAuthentication extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { @@ -93,10 +94,11 @@ public class ManualAuthentication extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return null; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java index 839a8134..7f7537bf 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RSAKeyConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Enumeration; import java.util.Locale; import java.util.StringTokenizer; @@ -40,21 +41,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * RSAKeyConstraints policy enforces min and max size of the key. Optionally - * checks the exponents. + * RSAKeyConstraints policy enforces min and max size of the key. + * Optionally checks the exponents. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class RSAKeyConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class RSAKeyConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { private Vector mExponents; private int mMinSize; private int mMaxSize; @@ -78,13 +79,13 @@ public class RSAKeyConstraints extends APolicyRule implements String[] params = { PROP_MIN_SIZE + ";number;Minimum size of user's RSA key (bits)", PROP_MAX_SIZE + ";number;Maximum size of user's RSA key (bits)", - PROP_EXPONENTS - + ";string;Comma-separated list of permissible exponents", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-rsakeyconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Reject request if RSA key length is not within the " - + "specified constraints" }; + PROP_EXPONENTS + ";string;Comma-separated list of permissible exponents", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-rsakeyconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Reject request if RSA key length is not within the " + + "specified constraints" + }; return params; } @@ -97,40 +98,40 @@ public class RSAKeyConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=RSAKeyConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minSize=512 - * ra.Policy.rule.<ruleName>.maxSize=2048 - * ra.Policy.rule.<ruleName>.predicate=ou==Marketing - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=RSAKeyConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.minSize=512 + * ra.Policy.rule.<ruleName>.maxSize=2048 + * ra.Policy.rule.<ruleName>.predicate=ou==Marketing + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { if (config == null || config.size() == 0) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_MISSING_POLICY_CONFIG", getInstanceName())); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_MISSING_POLICY_CONFIG", + getInstanceName())); String exponents = null; // Get Min and Max sizes mMinSize = config.getInteger(PROP_MIN_SIZE, DEF_MIN_SIZE); mMaxSize = config.getInteger(PROP_MAX_SIZE, DEF_MAX_SIZE); - if (mMinSize <= 0) - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_MIN_SIZE)); - if (mMaxSize <= 0) - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_MAX_SIZE)); + if (mMinSize <= 0) + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_MIN_SIZE)); + if (mMaxSize <= 0) + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_MAX_SIZE)); - if (mMinSize > mMaxSize) - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_A_GREATER_THAN_EQUAL_B", PROP_MIN_SIZE, - PROP_MAX_SIZE)); + if (mMinSize > mMaxSize) + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_A_GREATER_THAN_EQUAL_B", PROP_MIN_SIZE, PROP_MAX_SIZE)); mExponents = new Vector(); @@ -148,11 +149,11 @@ public class RSAKeyConstraints extends APolicyRule implements } } catch (Exception e) { // e.printStackTrace(); - String[] params = { getInstanceName(), exponents, - PROP_EXPONENTS }; + String[] params = {getInstanceName(), exponents, + PROP_EXPONENTS}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_CONFIG_PARAM", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_CONFIG_PARAM", params)); } } } @@ -160,8 +161,8 @@ public class RSAKeyConstraints extends APolicyRule implements /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -170,20 +171,20 @@ public class RSAKeyConstraints extends APolicyRule implements try { // Get the certificate info from the request - X509CertInfo certInfo[] = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo[] = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // There should be a certificate info set. if (certInfo == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", getInstanceName()), ""); return PolicyResult.REJECTED; } // Else check if the key size(s) are within the limit. for (int i = 0; i < certInfo.length; i++) { - CertificateX509Key certKey = (CertificateX509Key) certInfo[i] - .get(X509CertInfo.KEY); + CertificateX509Key certKey = (CertificateX509Key) + certInfo[i].get(X509CertInfo.KEY); X509Key key = (X509Key) certKey.get(CertificateX509Key.KEY); String alg = key.getAlgorithmId().toString(); @@ -192,25 +193,28 @@ public class RSAKeyConstraints extends APolicyRule implements X509Key newkey = null; try { - newkey = new X509Key(AlgorithmId.get("RSA"), key.getKey()); + newkey = new X509Key(AlgorithmId.get("RSA"), + key.getKey()); } catch (Exception e) { - CMS.debug("RSAKeyConstraints::apply() - " + "Exception=" - + e.toString()); - setError(req, - CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION", - getInstanceName()), ""); + CMS.debug( "RSAKeyConstraints::apply() - " + + "Exception="+e.toString() ); + setError( req, + CMS.getUserMessage( "CMS_POLICY_KEY_SIZE_VIOLATION", + getInstanceName() ), + "" ); return PolicyResult.REJECTED; } RSAPublicKey rsaKey = new RSAPublicKey(newkey.getEncoded()); int keySize = rsaKey.getKeySize(); if (keySize < mMinSize || keySize > mMaxSize) { - String[] params = { getInstanceName(), - String.valueOf(keySize), String.valueOf(mMinSize), - String.valueOf(mMaxSize) }; + String[] params = {getInstanceName(), + String.valueOf(keySize), + String.valueOf(mMinSize), + String.valueOf(mMaxSize)}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_KEY_SIZE_VIOLATION", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_KEY_SIZE_VIOLATION", + params), ""); result = PolicyResult.REJECTED; } @@ -222,28 +226,26 @@ public class RSAKeyConstraints extends APolicyRule implements if (!mExponents.contains(exp)) { StringBuffer sb = new StringBuffer(); - for (Enumeration e = mExponents.elements(); e - .hasMoreElements();) { + for (Enumeration e = mExponents.elements(); + e.hasMoreElements();) { BigInt bi = (BigInt) e.nextElement(); sb.append(bi.toBigInteger().toString()); sb.append(" "); } - String[] params = { getInstanceName(), - exp.toBigInteger().toString(), new String(sb) }; + String[] params = {getInstanceName(), + exp.toBigInteger().toString(), new String(sb)}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_EXPONENT_VIOLATION", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_EXPONENT_VIOLATION", params), ""); result = PolicyResult.REJECTED; } } } } catch (Exception e) { // e.printStackTrace(); - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } return result; @@ -251,10 +253,10 @@ public class RSAKeyConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector confParams = new Vector(); confParams.addElement(PROP_MIN_SIZE + "=" + mMinSize); @@ -273,10 +275,11 @@ public class RSAKeyConstraints extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { return defConfParams; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java index 77b50eb1..08e479b8 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -36,22 +37,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * Whether to allow renewal of an expired cert. - * * @version $Revision$, $Date$ - * <P> - * - * <PRE> + * <P> + * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> - * <P> - * + * <P> + * * @deprecated * @version $Revision$, $Date$ */ -public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, - IExtendedPluginInfo { +public class RenewalConstraints extends APolicyRule + implements IRenewalPolicy, IExtendedPluginInfo { private static final String PROP_ALLOW_EXPIRED_CERTS = "allowExpiredCerts"; private static final String PROP_RENEWAL_NOT_AFTER = "renewalNotAfter"; @@ -65,8 +65,8 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, private final static Vector defConfParams = new Vector(); static { defConfParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" + true); - defConfParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" - + DEF_RENEWAL_NOT_AFTER); + defConfParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + + DEF_RENEWAL_NOT_AFTER); } public RenewalConstraints() { @@ -76,15 +76,14 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_ALLOW_EXPIRED_CERTS - + ";boolean;Allow a user to renew an already-expired certificate", - PROP_RENEWAL_NOT_AFTER - + ";number;Number of days since certificate expiry after which renewal request would be rejected", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-renewalconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Permit administrator to decide policy on whether to " - + "permit renewals for already-expired certificates" }; + PROP_ALLOW_EXPIRED_CERTS + ";boolean;Allow a user to renew an already-expired certificate", + PROP_RENEWAL_NOT_AFTER + ";number;Number of days since certificate expiry after which renewal request would be rejected", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-renewalconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Permit administrator to decide policy on whether to " + + "permit renewals for already-expired certificates" + }; return params; @@ -93,24 +92,24 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.allowExpiredCerts=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.allowExpiredCerts=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and configure them. try { - mAllowExpiredCerts = config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, - true); + mAllowExpiredCerts = + config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, true); String val = config.getString(PROP_RENEWAL_NOT_AFTER, null); - if (val == null) + if (val == null) mRenewalNotAfter = DEF_RENEWAL_NOT_AFTER * DAYS_TO_MS_FACTOR; else { mRenewalNotAfter = Long.parseLong(val) * DAYS_TO_MS_FACTOR; @@ -120,15 +119,14 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, // never happen. } - CMS.debug("RenewalConstraints: allow expired certs " - + mAllowExpiredCerts); + CMS.debug("RenewalConstraints: allow expired certs " + mAllowExpiredCerts); } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -136,52 +134,44 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, try { // Get the certificates being renwed. - X509CertImpl[] oldCerts = req - .getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl[] oldCerts = + req.getExtDataInCertArray(IRequest.OLD_CERTS); if (oldCerts == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT", getInstanceName()), ""); return PolicyResult.REJECTED; } - + if (mAllowExpiredCerts) { CMS.debug("checking validity of each cert"); - // check if each cert to be renewed is expired for more than // - // allowed days. + // check if each cert to be renewed is expired for more than // allowed days. for (int i = 0; i < oldCerts.length; i++) { - X509CertInfo oldCertInfo = (X509CertInfo) oldCerts[i] - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) oldCertInfo - .get(X509CertInfo.VALIDITY); - Date notAfter = (Date) oldValidity - .get(CertificateValidity.NOT_AFTER); + X509CertInfo oldCertInfo = (X509CertInfo) + oldCerts[i].get(X509CertImpl.NAME + "." + + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); + Date notAfter = (Date) + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate eligible for renewal ? Date now = CMS.getCurrentDate(); - Date renewedNotAfter = new Date(notAfter.getTime() - + mRenewalNotAfter); + Date renewedNotAfter = new Date(notAfter.getTime() + + mRenewalNotAfter); - CMS.debug("RenewalConstraints: cert " + i - + " renewedNotAfter " + renewedNotAfter + " now=" - + now); + CMS.debug("RenewalConstraints: cert " + i + " renewedNotAfter " + renewedNotAfter + " now=" + now); if (renewedNotAfter.before(now)) { - CMS.debug("One or more certificates is expired for more than " - + (mRenewalNotAfter / DAYS_TO_MS_FACTOR) - + " days"); - String params[] = { - getInstanceName(), - Long.toString(mRenewalNotAfter - / DAYS_TO_MS_FACTOR) }; - - setError( - req, - CMS.getUserMessage( - "CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD", - params), ""); + CMS.debug( + "One or more certificates is expired for more than " + (mRenewalNotAfter / DAYS_TO_MS_FACTOR) + " days"); + String params[] = { getInstanceName(), Long.toString(mRenewalNotAfter / DAYS_TO_MS_FACTOR) }; + + setError(req, + CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD", + params), ""); return PolicyResult.REJECTED; } } @@ -191,35 +181,35 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, CMS.debug("RenewalConstraints: checking validity of each cert"); // check if each cert to be renewed is expired. for (int i = 0; i < oldCerts.length; i++) { - X509CertInfo oldCertInfo = (X509CertInfo) oldCerts[i] - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) oldCertInfo - .get(X509CertInfo.VALIDITY); - Date notAfter = (Date) oldValidity - .get(CertificateValidity.NOT_AFTER); + X509CertInfo oldCertInfo = (X509CertInfo) + oldCerts[i].get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); + Date notAfter = (Date) + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate still valid? Date now = CMS.getCurrentDate(); - CMS.debug("RenewalConstraints: cert " + i + " notAfter " - + notAfter + " now=" + now); + CMS.debug("RenewalConstraints: cert " + i + " notAfter " + notAfter + " now=" + now); if (notAfter.before(now)) { - CMS.debug("RenewalConstraints: One or more certificates is expired."); + CMS.debug( + "RenewalConstraints: One or more certificates is expired."); String params[] = { getInstanceName() }; - setError(req, CMS.getUserMessage( - "CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS", params), - ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS", + params), ""); result = PolicyResult.REJECTED; break; } } } catch (Exception e) { - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } return result; @@ -227,22 +217,22 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" - + mAllowExpiredCerts); - confParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + mRenewalNotAfter - / DAYS_TO_MS_FACTOR); + confParams.addElement( + PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts); + confParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + + mRenewalNotAfter / DAYS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java index 8b09c767..3d98f3c2 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -35,29 +36,30 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * RenewalValidityConstraints is a default rule for Certificate Renewal. This - * policy enforces the no of days before which a currently active certificate - * can be renewed and sets new validity period for the renewed certificate - * starting from the the ending period in the old certificate. - * + * RenewalValidityConstraints is a default rule for Certificate + * Renewal. This policy enforces the no of days before which a + * currently active certificate can be renewed and sets new validity + * period for the renewed certificate starting from the the ending + * period in the old certificate. + * * The main parameters are: - * - * The renewal leadtime in days: - i.e how many days before the expiry of the - * current certificate can one request the renewal. min and max validity - * duration. + * + * The renewal leadtime in days: - i.e how many days before the + * expiry of the current certificate can one request the renewal. + * min and max validity duration. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class RenewalValidityConstraints extends APolicyRule implements - IRenewalPolicy, IExtendedPluginInfo { +public class RenewalValidityConstraints extends APolicyRule + implements IRenewalPolicy, IExtendedPluginInfo { private long mMinValidity; private long mMaxValidity; private long mRenewalInterval; @@ -75,25 +77,25 @@ public class RenewalValidityConstraints extends APolicyRule implements private final static Vector defConfParams = new Vector(); static { - defConfParams.addElement(PROP_MIN_VALIDITY + "=" + DEF_MIN_VALIDITY); - defConfParams.addElement(PROP_MAX_VALIDITY + "=" + DEF_MAX_VALIDITY); - defConfParams.addElement(PROP_RENEWAL_INTERVAL + "=" - + DEF_RENEWAL_INTERVAL); + defConfParams.addElement(PROP_MIN_VALIDITY + "=" + + DEF_MIN_VALIDITY); + defConfParams.addElement(PROP_MAX_VALIDITY + "=" + + DEF_MAX_VALIDITY); + defConfParams.addElement(PROP_RENEWAL_INTERVAL + "=" + + DEF_RENEWAL_INTERVAL); } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_MIN_VALIDITY - + ";number;Specifies the minimum validity period, in days, for renewed certificates.", - PROP_MAX_VALIDITY - + ";number;Specifies the maximum validity period, in days, for renewed certificates.", - PROP_RENEWAL_INTERVAL - + ";number;Specifies how many days before its expiration that a certificate can be renewed.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-renewalvalidityconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Reject renewal request if the certificate is too far " - + "before it's expiry date" }; + PROP_MIN_VALIDITY + ";number;Specifies the minimum validity period, in days, for renewed certificates.", + PROP_MAX_VALIDITY + ";number;Specifies the maximum validity period, in days, for renewed certificates.", + PROP_RENEWAL_INTERVAL + ";number;Specifies how many days before its expiration that a certificate can be renewed.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-renewalvalidityconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Reject renewal request if the certificate is too far " + + "before it's expiry date" + }; return params; @@ -107,20 +109,20 @@ public class RenewalValidityConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minValidity=30 - * ra.Policy.rule.<ruleName>.maxValidity=180 - * ra.Policy.rule.<ruleName>.renewalInterval=15 - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.minValidity=30 + * ra.Policy.rule.<ruleName>.maxValidity=180 + * ra.Policy.rule.<ruleName>.renewalInterval=15 + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and onfigure them. try { @@ -146,37 +148,37 @@ public class RenewalValidityConstraints extends APolicyRule implements // minValidity can't be bigger than maxValidity. if (mMinValidity > mMaxValidity) { - String params[] = { getInstanceName(), + String params[] = {getInstanceName(), String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR), String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_RENEWAL_MIN_MAX", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_MIN_MAX", params)); } // Renewal interval can't be more than maxValidity. if (mRenewalInterval > mMaxValidity) { - String params[] = { getInstanceName(), + String params[] = {getInstanceName(), String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR), String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_RENEWAL_INTERVAL", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_INTERVAL", params)); } } catch (Exception e) { // e.printStackTrace(); - String[] params = { getInstanceName(), e.toString() }; + String[] params = {getInstanceName(), e.toString()}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_CONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); } } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -188,16 +190,16 @@ public class RenewalValidityConstraints extends APolicyRule implements try { // Get the certificate info from the request - X509CertInfo certInfo[] = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo[] = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // Get the certificates being renwed. - X509CertImpl currentCerts[] = req - .getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl currentCerts[] = + req.getExtDataInCertArray(IRequest.OLD_CERTS); // Both certificate info and current certs should be set if (certInfo == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", getInstanceName()), ""); return PolicyResult.REJECTED; } @@ -207,21 +209,21 @@ public class RenewalValidityConstraints extends APolicyRule implements return PolicyResult.REJECTED; } if (certInfo.length != currentCerts.length) { - setError(req, CMS.getUserMessage( - "CMS_POLICY_MISMATCHED_CERTINFO", getInstanceName()), - ""); + setError(req, CMS.getUserMessage("CMS_POLICY_MISMATCHED_CERTINFO", + getInstanceName()), ""); return PolicyResult.REJECTED; } // Else check if the renewal interval is okay and then // set the validity. for (int i = 0; i < certInfo.length; i++) { - X509CertInfo oldCertInfo = (X509CertInfo) currentCerts[i] - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) oldCertInfo - .get(X509CertInfo.VALIDITY); - Date notAfter = (Date) oldValidity - .get(CertificateValidity.NOT_AFTER); + X509CertInfo oldCertInfo = (X509CertInfo) + currentCerts[i].get(X509CertImpl.NAME + + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); + Date notAfter = (Date) + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate still valid? Date now = CMS.getCurrentDate(); @@ -231,13 +233,12 @@ public class RenewalValidityConstraints extends APolicyRule implements long interval = notAfter.getTime() - now.getTime(); if (interval > mRenewalInterval) { - setError(req, CMS.getUserMessage( - "CMS_POLICY_LONG_RENEWAL_LEAD_TIME", + setError(req, + CMS.getUserMessage("CMS_POLICY_LONG_RENEWAL_LEAD_TIME", getInstanceName(), - String.valueOf(mRenewalInterval - / DAYS_TO_MS_FACTOR)), ""); - setError(req, CMS.getUserMessage( - "CMS_POLICY_EXISTING_CERT_DETAILS", + String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR)), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_EXISTING_CERT_DETAILS", getInstanceName(), getCertDetails(req, currentCerts[i])), ""); @@ -247,28 +248,29 @@ public class RenewalValidityConstraints extends APolicyRule implements } } - // Else compute new validity. + // Else compute new validity. Date renewedNotBef = notAfter; - Date renewedNotAfter = new Date(notAfter.getTime() - + mMaxValidity); + Date renewedNotAfter = new Date(notAfter.getTime() + + mMaxValidity); - // If the new notAfter is within renewal interval days from + // If the new notAfter is within renewal interval days from // today or already expired, set the notBefore to today. - if (renewedNotAfter.before(now) - || (renewedNotAfter.getTime() - now.getTime()) <= mRenewalInterval) { + if (renewedNotAfter.before(now) || + (renewedNotAfter.getTime() - now.getTime()) <= + mRenewalInterval) { renewedNotBef = now; - renewedNotAfter = new Date(now.getTime() + mMaxValidity); + renewedNotAfter = new Date(now.getTime() + + mMaxValidity); } - CertificateValidity newValidity = new CertificateValidity( - renewedNotBef, renewedNotAfter); + CertificateValidity newValidity = + new CertificateValidity(renewedNotBef, renewedNotAfter); certInfo[i].set(X509CertInfo.VALIDITY, newValidity); } } catch (Exception e) { - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } return result; @@ -276,24 +278,24 @@ public class RenewalValidityConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement(PROP_MIN_VALIDITY + "=" + mMinValidity - / DAYS_TO_MS_FACTOR); - confParams.addElement(PROP_MAX_VALIDITY + "=" + mMaxValidity - / DAYS_TO_MS_FACTOR); - confParams.addElement(PROP_RENEWAL_INTERVAL + "=" + mRenewalInterval - / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_MIN_VALIDITY + "=" + + mMinValidity / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_MAX_VALIDITY + "=" + + mMaxValidity / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_RENEWAL_INTERVAL + "=" + + mRenewalInterval / DAYS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { @@ -304,7 +306,7 @@ public class RenewalValidityConstraints extends APolicyRule implements private void setDummyValidity(X509CertInfo certInfo) { try { certInfo.set(X509CertInfo.VALIDITY, - new CertificateValidity(CMS.getCurrentDate(), new Date())); + new CertificateValidity(CMS.getCurrentDate(), new Date())); } catch (Exception e) { } } @@ -315,8 +317,8 @@ public class RenewalValidityConstraints extends APolicyRule implements sb.append("\n"); sb.append("Serial No: " + cert.getSerialNumber().toString(16)); sb.append("\n"); - sb.append("Validity: " + cert.getNotBefore().toString() + " - " - + cert.getNotAfter().toString()); + sb.append("Validity: " + cert.getNotBefore().toString() + + " - " + cert.getNotAfter().toString()); sb.append("\n"); String certType = req.getExtDataInString(IRequest.CERT_TYPE); @@ -324,12 +326,11 @@ public class RenewalValidityConstraints extends APolicyRule implements certType = IRequest.SERVER_CERT; if (certType.equals(IRequest.CLIENT_CERT)) { - /*** - * Take this our - URL formulation hard to do here. sb.append( - * "Use the following url with your CA/RA gateway spec to download the certificate." - * ); sb.append("\n"); - * sb.append("/query/certImport?op=displayByserial&serialNumber="); - * sb.append(cert.getSerialNumber().toString(16)); + /*** Take this our - URL formulation hard to do here. + sb.append("Use the following url with your CA/RA gateway spec to download the certificate."); + sb.append("\n"); + sb.append("/query/certImport?op=displayByserial&serialNumber="); + sb.append(cert.getSerialNumber().toString(16)); ***/ sb.append("\n"); } else { @@ -341,7 +342,7 @@ public class RenewalValidityConstraints extends APolicyRule implements sb.append(CERT_HEADER + encodedCert + CERT_TRAILER); } catch (Exception e) { - // throw new AssertionException(e.toString()); + //throw new AssertionException(e.toString()); } } return sb.toString(); diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java index 546bd741..686529f4 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RevocationConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -37,20 +38,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * Whether to allow revocation of an expired cert. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class RevocationConstraints extends APolicyRule implements - IRevocationPolicy, IExtendedPluginInfo { +public class RevocationConstraints extends APolicyRule + implements IRevocationPolicy, IExtendedPluginInfo { private static final String PROP_ALLOW_EXPIRED_CERTS = "allowExpiredCerts"; private static final String PROP_ALLOW_ON_HOLD = "allowOnHold"; @@ -70,18 +71,16 @@ public class RevocationConstraints extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_ALLOW_EXPIRED_CERTS - + ";boolean;Allow a user to revoke an already-expired certificate", - PROP_ALLOW_ON_HOLD - + ";boolean;Allow a user to set reason to On-Hold", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-revocationconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Allow administrator to decide policy on whether to allow " - + "recovation of expired certificates" - + "and set reason to On-Hold" - - }; + PROP_ALLOW_EXPIRED_CERTS + ";boolean;Allow a user to revoke an already-expired certificate", + PROP_ALLOW_ON_HOLD + ";boolean;Allow a user to set reason to On-Hold", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-revocationconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Allow administrator to decide policy on whether to allow " + + "recovation of expired certificates" + + "and set reason to On-Hold" + + }; return params; @@ -90,36 +89,36 @@ public class RevocationConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.allowExpiredCerts=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.allowExpiredCerts=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and onfigure them. try { - mAllowExpiredCerts = config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, - true); - mAllowOnHold = config.getBoolean(PROP_ALLOW_ON_HOLD, true); + mAllowExpiredCerts = + config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, true); + mAllowOnHold = + config.getBoolean(PROP_ALLOW_ON_HOLD, true); } catch (EBaseException e) { // never happen. } - CMS.debug("RevocationConstraints: allow expired certs " - + mAllowExpiredCerts); + CMS.debug("RevocationConstraints: allow expired certs " + mAllowExpiredCerts); CMS.debug("RevocationConstraints: allow on hold " + mAllowOnHold); } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -128,8 +127,8 @@ public class RevocationConstraints extends APolicyRule implements CMS.debug("RevocationConstraints: apply: no revocationReason found in request"); return PolicyResult.REJECTED; } - RevocationReason rr = RevocationReason.fromInt(req.getExtDataInInteger( - IRequest.REVOKED_REASON).intValue()); + RevocationReason rr = RevocationReason.fromInt( + req.getExtDataInInteger(IRequest.REVOKED_REASON).intValue()); if (!mAllowOnHold && (rr != null)) { int reason = rr.toInt(); @@ -137,37 +136,37 @@ public class RevocationConstraints extends APolicyRule implements if (reason == RevocationReason.CERTIFICATE_HOLD.toInt()) { String params[] = { getInstanceName() }; - setError(req, CMS.getUserMessage( - "CMS_POLICY_NO_ON_HOLD_ALLOWED", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_ON_HOLD_ALLOWED", params), ""); return PolicyResult.REJECTED; - } + } } if (mAllowExpiredCerts) // nothing to check. return PolicyResult.ACCEPTED; - + PolicyResult result = PolicyResult.ACCEPTED; try { // Get the certificates being renwed. - X509CertImpl[] oldCerts = req - .getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl[] oldCerts = + req.getExtDataInCertArray(IRequest.OLD_CERTS); if (oldCerts == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT"), - getInstanceName()); + getInstanceName()); return PolicyResult.REJECTED; } // check if each cert to be renewed is expired. for (int i = 0; i < oldCerts.length; i++) { - X509CertInfo oldCertInfo = (X509CertInfo) oldCerts[i] - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) oldCertInfo - .get(X509CertInfo.VALIDITY); - Date notAfter = (Date) oldValidity - .get(CertificateValidity.NOT_AFTER); + X509CertInfo oldCertInfo = (X509CertInfo) + oldCerts[i].get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); + Date notAfter = (Date) + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate still valid? Date now = CMS.getCurrentDate(); @@ -175,19 +174,18 @@ public class RevocationConstraints extends APolicyRule implements if (notAfter.before(now)) { String params[] = { getInstanceName() }; - setError(req, CMS.getUserMessage( - "CMS_POLICY_CANNOT_REVOKE_EXPIRED_CERTS", params), - ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_CANNOT_REVOKE_EXPIRED_CERTS", + params), ""); result = PolicyResult.REJECTED; break; } } } catch (Exception e) { - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } return result; @@ -195,21 +193,22 @@ public class RevocationConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" - + mAllowExpiredCerts); - confParams.addElement(PROP_ALLOW_ON_HOLD + "=" + mAllowOnHold); + confParams.addElement( + PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts); + confParams.addElement( + PROP_ALLOW_ON_HOLD + "=" + mAllowOnHold); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java index 213212fb..9d519284 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/SigningAlgorithmConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Locale; import java.util.StringTokenizer; import java.util.Vector; @@ -40,24 +41,23 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * SigningAlgorithmConstraints enforces that only a supported signing algorithm - * be requested. + * SigningAlgorithmConstraints enforces that only a supported + * signing algorithm be requested. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SigningAlgorithmConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class SigningAlgorithmConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { private String[] mAllowedAlgs = null; // algs allowed by this policy - static String[] mDefaultAllowedAlgs = null; // default algs allowed by this - // policy based on CA's key + static String[] mDefaultAllowedAlgs = null; // default algs allowed by this policy based on CA's key private String[] mConfigAlgs = null; // algs listed in config file private boolean winnowedByKey = false; IAuthority mAuthority = null; @@ -94,17 +94,17 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form - * ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints - * ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * ra.Policy.rule.<ruleName>.implName=SigningAlgorithmConstraints + * ra.Policy.rule.<ruleName>.algorithms=SHA-1WithRSA, SHA-1WithDSA + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mAuthority = (IAuthority) ((IPolicyProcessor) owner).getAuthority(); // Get allowed algorithms from config file @@ -114,11 +114,10 @@ public class SigningAlgorithmConstraints extends APolicyRule implements try { algNames = config.getString(PROP_ALGORITHMS, null); } catch (Exception e) { - String[] params = { getInstanceName(), e.toString(), - PROP_ALGORITHMS }; + String[] params = {getInstanceName(), e.toString(), PROP_ALGORITHMS}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PARAM_CONFIG_ERROR", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PARAM_CONFIG_ERROR", params)); } if (algNames != null) { @@ -137,7 +136,7 @@ public class SigningAlgorithmConstraints extends APolicyRule implements for (int i = 0; i < itemCount; i++) { mAllowedAlgs[i] = (String) algs.elementAt(i); } - + } } @@ -150,8 +149,8 @@ public class SigningAlgorithmConstraints extends APolicyRule implements if (mAllowedAlgs != null) { // winnow out unknown algorithms - winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS, - "CMS_POLICY_UNKNOWN_SIGNING_ALG", true); + winnowAlgs(AlgorithmId.ALL_SIGNING_ALGORITHMS, + "CMS_POLICY_UNKNOWN_SIGNING_ALG", true); } else { // if nothing was in the config file, allow all known algs mAllowedAlgs = AlgorithmId.ALL_SIGNING_ALGORITHMS; @@ -161,8 +160,8 @@ public class SigningAlgorithmConstraints extends APolicyRule implements winnowByKey(); if (mAllowedAlgs.length == 0) { - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY", NAME)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY", NAME)); } } @@ -183,20 +182,20 @@ public class SigningAlgorithmConstraints extends APolicyRule implements } // get list of algorithms allowed for the key - String[] allowedByKey = ((ICertAuthority) mAuthority) - .getCASigningAlgorithms(); + String[] allowedByKey = + ((ICertAuthority) mAuthority).getCASigningAlgorithms(); if (allowedByKey != null) { - // don't show algorithms that don't match CA's key in UI. + // don't show algorithms that don't match CA's key in UI. mDefaultAllowedAlgs = new String[allowedByKey.length]; for (int i = 0; i < allowedByKey.length; i++) mDefaultAllowedAlgs[i] = allowedByKey[i]; - // winnow out algorithms that don't match CA's signing key - winnowAlgs(allowedByKey, "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1", - false); + // winnow out algorithms that don't match CA's signing key + winnowAlgs(allowedByKey, + "CMS_POLICY_SIGNALG_NOT_MATCH_CAKEY_1", false); winnowedByKey = true; } else { - // We don't know the CA's signing algorithms. Maybe we're + // We don't know the CA's signing algorithms. Maybe we're // an RA that hasn't talked to the CA yet? Try again later. } } @@ -204,15 +203,14 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Winnows out of mAllowedAlgorithms those algorithms that aren't allowed * for some reason. - * - * @param allowed An array of allowed algorithms. Only algorithms in this - * list will survive the winnowing process. - * @param reason A string describing the problem with an algorithm that is - * not allowed by this list. Must be a predefined string in - * PolicyResources. + * + * @param allowed An array of allowed algorithms. Only algorithms in this + * list will survive the winnowing process. + * @param reason A string describing the problem with an algorithm + * that is not allowed by this list. Must be a predefined string in PolicyResources. */ - private void winnowAlgs(String[] allowed, String reason, boolean isError) - throws EBaseException { + private void winnowAlgs(String[] allowed, String reason, boolean isError) + throws EBaseException { int i, j, goodSize; // validate the currently-allowed algorithms @@ -227,13 +225,12 @@ public class SigningAlgorithmConstraints extends APolicyRule implements } // if algorithm is not allowed, log a warning if (j == allowed.length) { - EPolicyException e = new EPolicyException(CMS.getUserMessage( - reason, NAME, mAllowedAlgs[i])); + EPolicyException e = new EPolicyException(CMS.getUserMessage(reason, NAME, mAllowedAlgs[i])); if (isError) { log(ILogger.LL_FAILURE, e.toString()); - throw new EPolicyException(CMS.getUserMessage(reason, NAME, - mAllowedAlgs[i])); + throw new EPolicyException(CMS.getUserMessage(reason, + NAME, mAllowedAlgs[i])); } else { log(ILogger.LL_WARN, e.toString()); } @@ -243,7 +240,7 @@ public class SigningAlgorithmConstraints extends APolicyRule implements // convert back into an array goodSize = goodAlgs.size(); if (mAllowedAlgs.length != goodSize) { - mAllowedAlgs = new String[goodSize]; + mAllowedAlgs = new String[ goodSize ]; for (i = 0; i < goodSize; i++) { mAllowedAlgs[i] = (String) goodAlgs.elementAt(i); } @@ -253,8 +250,8 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -265,10 +262,9 @@ public class SigningAlgorithmConstraints extends APolicyRule implements try { // Get the certificate info from the request - // X509CertInfo certInfo[] = (X509CertInfo[]) - // req.get(IRequest.CERT_INFO); - X509CertInfo certInfo[] = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); + //X509CertInfo certInfo[] = (X509CertInfo[]) + // req.get(IRequest.CERT_INFO); + X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // We need to have a certificate info set if (certInfo == null) { @@ -285,11 +281,11 @@ public class SigningAlgorithmConstraints extends APolicyRule implements winnowByKey(); } - CertificateAlgorithmId certAlgId = (CertificateAlgorithmId) certInfo[i] - .get(X509CertInfo.ALGORITHM_ID); + CertificateAlgorithmId certAlgId = (CertificateAlgorithmId) + certInfo[i].get(X509CertInfo.ALGORITHM_ID); - AlgorithmId algId = (AlgorithmId) certAlgId - .get(CertificateAlgorithmId.ALGORITHM); + AlgorithmId algId = (AlgorithmId) + certAlgId.get(CertificateAlgorithmId.ALGORITHM); String alg = algId.getName(); // test against the list of allowed algorithms @@ -301,28 +297,26 @@ public class SigningAlgorithmConstraints extends APolicyRule implements if (j == mAllowedAlgs.length) { // if the algor doesn't match the CA's key replace // it with one that does. - if (mAllowedAlgs[0].equals("SHA1withDSA") - || alg.equals("SHA1withDSA")) { - certInfo[i].set( - X509CertInfo.ALGORITHM_ID, - new CertificateAlgorithmId(AlgorithmId - .get(mAllowedAlgs[0]))); + if (mAllowedAlgs[0].equals("SHA1withDSA") || + alg.equals("SHA1withDSA")) { + certInfo[i].set(X509CertInfo.ALGORITHM_ID, + new CertificateAlgorithmId( + AlgorithmId.get(mAllowedAlgs[0]))); return PolicyResult.ACCEPTED; } // didn't find a match, alg not allowed - setError(req, CMS.getUserMessage( - "CMS_POLICY_SIGNING_ALG_VIOLATION", + setError(req, CMS.getUserMessage("CMS_POLICY_SIGNING_ALG_VIOLATION", getInstanceName(), alg), ""); result = PolicyResult.REJECTED; } } } catch (Exception e) { // e.printStackTrace(); - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + params), ""); result = PolicyResult.REJECTED; } return result; @@ -330,10 +324,10 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector confParams = new Vector(); StringBuffer sb = new StringBuffer(); @@ -349,10 +343,10 @@ public class SigningAlgorithmConstraints extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { StringBuffer sb = new StringBuffer(); sb.append(PROP_ALGORITHMS); sb.append("="); @@ -371,73 +365,67 @@ public class SigningAlgorithmConstraints extends APolicyRule implements } defConfParams.addElement(sb.toString()); - return defConfParams; + return defConfParams; } public String[] getExtendedPluginInfo(Locale locale) { if (!winnowedByKey) { - try { - winnowByKey(); - } catch (Exception e) { + try { + winnowByKey(); + } catch (Exception e) { } } String[] params = null; String[] params_BOTH = { - PROP_ALGORITHMS - + ";" - + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA," - + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," - + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA," - + "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA," - + "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," - + "MD2withRSA\\,MD5withRSA\\,SHA1withDSA," - + "MD2withRSA\\,MD5withRSA," - + "MD2withRSA\\,SHA1withRSA," - + "MD2withRSA\\,SHA1withDSA," - + "MD5withRSA\\,SHA1withRSA," - + "MD5withRSA\\,SHA1withDSA," - + "SHA1withRSA\\,SHA1withDSA," - + "MD2withRSA," - + "MD5withRSA," - + "SHA1withRSA," - + "SHA1withDSA);List of algorithms to restrict the requested signing algorithm " - + "to be one of the algorithms supported by Certificate System", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-signingalgconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Restricts the requested signing algorithm to be one of" - + " the algorithms supported by Certificate System" }; + PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA256withRSA\\,SHA512withRSA\\,SHA1withDSA," + + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA\\,SHA1withDSA,"+ + "MD2withRSA\\,MD5withRSA\\,SHA1withRSA," + + "MD2withRSA\\,SHA1withRSA\\,SHA1withDSA," + + "MD5withRSA\\,SHA1withRSA\\,SHA1withDSA," + + "MD2withRSA\\,MD5withRSA\\,SHA1withDSA," + + "MD2withRSA\\,MD5withRSA," + + "MD2withRSA\\,SHA1withRSA," + + "MD2withRSA\\,SHA1withDSA," + + "MD5withRSA\\,SHA1withRSA," + + "MD5withRSA\\,SHA1withDSA," + + "SHA1withRSA\\,SHA1withDSA," + + "MD2withRSA," + + "MD5withRSA," + + "SHA1withRSA," + + "SHA1withDSA);List of algorithms to restrict the requested signing algorithm " + + "to be one of the algorithms supported by Certificate System", + IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Restricts the requested signing algorithm to be one of" + + " the algorithms supported by Certificate System" + }; String[] params_RSA = { - PROP_ALGORITHMS - + ";" - + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA," - + "MD2withRSA\\,MD5withRSA," - + "MD2withRSA\\,SHA1withRSA," - + "MD5withRSA\\,SHA1withRSA," - + "MD2withRSA," - + "MD5withRSA," - + "SHA1withRSA);Restrict the requested signing algorithm to be " - + "one of the algorithms supported by Certificate System", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-signingalgconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Restricts the requested signing algorithm to be one of" - + " the algorithms supported by Certificate System" }; + PROP_ALGORITHMS + ";" + "choice(MD2withRSA\\,MD5withRSA\\,SHA1withRSA," + + "MD2withRSA\\,MD5withRSA," + + "MD2withRSA\\,SHA1withRSA," + + "MD5withRSA\\,SHA1withRSA," + + "MD2withRSA," + + "MD5withRSA," + + "SHA1withRSA);Restrict the requested signing algorithm to be " + + "one of the algorithms supported by Certificate System", + IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Restricts the requested signing algorithm to be one of" + + " the algorithms supported by Certificate System" + }; String[] params_DSA = { - PROP_ALGORITHMS - + ";" - + "choice(SHA1withDSA);Restrict the requested signing " - + "algorithm to be one of the algorithms supported by Certificate " - + "System", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-signingalgconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Restricts the requested signing algorithm to be one of" - + " the algorithms supported by Certificate System" }; + PROP_ALGORITHMS + ";" + "choice(SHA1withDSA);Restrict the requested signing " + + "algorithm to be one of the algorithms supported by Certificate " + + "System", + IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-signingalgconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Restricts the requested signing algorithm to be one of" + + " the algorithms supported by Certificate System" + }; switch (mDefaultAllowedAlgs.length) { case 1: @@ -459,3 +447,4 @@ public class SigningAlgorithmConstraints extends APolicyRule implements } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java index 4372e46a..8e8cd4a7 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/SubCANameConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Locale; import java.util.Vector; @@ -40,21 +41,20 @@ import com.netscape.certsrv.request.PolicyResult; import com.netscape.certsrv.security.ISigningUnit; import com.netscape.cms.policy.APolicyRule; + /** - * This simple policy checks the subordinate CA CSR to see if it is the same as - * the local CA. + * This simple policy checks the subordinate CA CSR to see + * if it is the same as the local CA. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubCANameConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class SubCANameConstraints extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { public ICertificateAuthority mCA = null; public String mIssuerNameStr = null; @@ -65,49 +65,48 @@ public class SubCANameConstraints extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-subcanamecheck", - IExtendedPluginInfo.HELP_TEXT - + ";Checks if subordinate CA request matches the local CA. There are no parameters to change" }; + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subcanamecheck", + IExtendedPluginInfo.HELP_TEXT + + ";Checks if subordinate CA request matches the local CA. There are no parameters to change" + }; return params; } - + /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form - * ra.Policy.rule.<ruleName>.implName=KeyAlgorithmConstraints - * ra.Policy.rule.<ruleName>.algorithms=RSA,DSA - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * ra.Policy.rule.<ruleName>.implName=KeyAlgorithmConstraints + * ra.Policy.rule.<ruleName>.algorithms=RSA,DSA + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // get CA's public key to create authority key id. - ICertAuthority certAuthority = (ICertAuthority) ((IPolicyProcessor) owner) - .getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { // should never get here. log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", - "Cannot find the Certificate Manager")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Cannot find the Certificate Manager")); } if (!(certAuthority instanceof ICertificateAuthority)) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", - "Cannot find the Certificate Manager")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Cannot find the Certificate Manager")); } mCA = (ICertificateAuthority) certAuthority; ISigningUnit su = mCA.getSigningUnit(); - if (su == null || CMS.isPreOpMode()) { + if( su == null || CMS.isPreOpMode() ) { return; } @@ -125,8 +124,8 @@ public class SubCANameConstraints extends APolicyRule implements /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -135,52 +134,39 @@ public class SubCANameConstraints extends APolicyRule implements try { // Get the certificate templates - X509CertInfo[] certInfos = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] certInfos = req.getExtDataInCertInfoArray( + IRequest.CERT_INFO); + if (certInfos == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_NO_CERT_INFO", getInstanceName())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME - + ":" + getInstanceName()), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_CERT_INFO", getInstanceName())); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME + ":" + getInstanceName()), ""); return PolicyResult.REJECTED; } // retrieve the subject name and check its unqiueness for (int i = 0; i < certInfos.length; i++) { - CertificateSubjectName subName = (CertificateSubjectName) certInfos[i] - .get(X509CertInfo.SUBJECT); + CertificateSubjectName subName = (CertificateSubjectName) certInfos[i].get(X509CertInfo.SUBJECT); // if there is no name set, set one here. if (subName == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_NO_SUBJECT_NAME_1", getInstanceName())); - setError(req, CMS.getUserMessage( - "CMS_POLICY_NO_SUBJECT_NAME", NAME + ":" - + getInstanceName()), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_SUBJECT_NAME_1", getInstanceName())); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUBJECT_NAME", NAME + ":" + getInstanceName()), ""); return PolicyResult.REJECTED; } String certSubjectName = subName.toString(); if (certSubjectName.equalsIgnoreCase(mIssuerNameStr)) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_SUBJECT_NAME_EXIST_1", mIssuerNameStr)); - setError(req, CMS.getUserMessage( - "CMS_POLICY_SUBJECT_NAME_EXIST", NAME + ":" - + "Same As Issuer Name " + mIssuerNameStr), - ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_SUBJECT_NAME_EXIST_1", mIssuerNameStr)); + setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_NAME_EXIST", NAME + ":" + "Same As Issuer Name " + mIssuerNameStr), ""); result = PolicyResult.REJECTED; } } } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_NO_SUBJECT_NAME_1", getInstanceName())); - String params[] = { getInstanceName(), e.toString() }; + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_SUBJECT_NAME_1", getInstanceName())); + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + params), ""); result = PolicyResult.REJECTED; } return result; @@ -188,23 +174,24 @@ public class SubCANameConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector v = new Vector(); return v; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector v = new Vector(); return v; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java b/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java index 9afbf765..dc8ecd79 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectName.java @@ -17,15 +17,17 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + + + /** * This class is used to help migrate CMS4.1 to CMS4.2. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java index 189aa99f..4e7cefe7 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/UniqueSubjectNameConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.io.IOException; import java.util.Enumeration; import java.util.Locale; @@ -43,31 +44,35 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Checks the uniqueness of the subject name. This policy can only be used - * (installed) in Certificate Authority subsystem. - * - * This policy can perform pre-agent-approval checking or post-agent-approval - * checking based on configuration setting. - * - * In some situations, user may want to have 2 certificates with the same - * subject name. For example, one key for encryption, and one for signing. This - * policy does not deal with this case directly. But it can be easily extended - * to do that. + * Checks the uniqueness of the subject name. This policy + * can only be used (installed) in Certificate Authority + * subsystem. + * + * This policy can perform pre-agent-approval checking or + * post-agent-approval checking based on configuration + * setting. + * + * In some situations, user may want to have 2 certificates with + * the same subject name. For example, one key for encryption, + * and one for signing. This policy does not deal with this case + * directly. But it can be easily extended to do that. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class UniqueSubjectNameConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { - protected static final String PROP_PRE_AGENT_APPROVAL_CHECKING = "enablePreAgentApprovalChecking"; - protected static final String PROP_KEY_USAGE_EXTENSION_CHECKING = "enableKeyUsageExtensionChecking"; +public class UniqueSubjectNameConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { + protected static final String PROP_PRE_AGENT_APPROVAL_CHECKING = + "enablePreAgentApprovalChecking"; + protected static final String PROP_KEY_USAGE_EXTENSION_CHECKING = + "enableKeyUsageExtensionChecking"; public ICertificateAuthority mCA = null; @@ -77,19 +82,18 @@ public class UniqueSubjectNameConstraints extends APolicyRule implements public UniqueSubjectNameConstraints() { NAME = "UniqueSubjectName"; DESC = "Ensure the uniqueness of the subject name."; - } + } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_PRE_AGENT_APPROVAL_CHECKING - + ";boolean;If checked, check subject name uniqueness BEFORE agent approves, (else checks AFTER approval)", - PROP_KEY_USAGE_EXTENSION_CHECKING - + ";boolean;If checked, allow non-unique subject names if Key Usage Extension differs", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-uniquesubjectname", - IExtendedPluginInfo.HELP_TEXT - + ";Rejects a request if there exists an unrevoked, unexpired " - + "certificate with the same subject name" }; + PROP_PRE_AGENT_APPROVAL_CHECKING + ";boolean;If checked, check subject name uniqueness BEFORE agent approves, (else checks AFTER approval)", + PROP_KEY_USAGE_EXTENSION_CHECKING + ";boolean;If checked, allow non-unique subject names if Key Usage Extension differs", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-uniquesubjectname", + IExtendedPluginInfo.HELP_TEXT + + ";Rejects a request if there exists an unrevoked, unexpired " + + "certificate with the same subject name" + }; return params; @@ -98,46 +102,42 @@ public class UniqueSubjectNameConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ca.Policy.rule.<ruleName>.implName=UniqueSubjectName - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.enablePreAgentApprovalChecking=true - * ca.Policy.rule.<ruleName>.enableKeyUsageExtensionChecking=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=UniqueSubjectName + * ca.Policy.rule.<ruleName>.enable=true + * ca.Policy.rule.<ruleName>.enable=true + * ca.Policy.rule.<ruleName>.enablePreAgentApprovalChecking=true + * ca.Policy.rule.<ruleName>.enableKeyUsageExtensionChecking=true + * + * @param config The config store reference */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { // get CA's public key to create authority key id. - ICertAuthority certAuthority = (ICertAuthority) ((IPolicyProcessor) owner) - .getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { // should never get here. log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Cannot find the Certificate Manager or Registration Manager")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "Cannot find the Certificate Manager or Registration Manager")); } if (!(certAuthority instanceof ICertificateAuthority)) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", - "Cannot find the Certificate Manager")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "Cannot find the Certificate Manager")); } mCA = (ICertificateAuthority) certAuthority; try { - mPreAgentApprovalChecking = config.getBoolean( - PROP_PRE_AGENT_APPROVAL_CHECKING, false); + mPreAgentApprovalChecking = + config.getBoolean(PROP_PRE_AGENT_APPROVAL_CHECKING, false); } catch (EBaseException e) { } try { - mKeyUsageExtensionChecking = config.getBoolean( - PROP_KEY_USAGE_EXTENSION_CHECKING, true); + mKeyUsageExtensionChecking = + config.getBoolean(PROP_KEY_USAGE_EXTENSION_CHECKING, true); } catch (EBaseException e) { } } @@ -145,8 +145,8 @@ public class UniqueSubjectNameConstraints extends APolicyRule implements /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -160,52 +160,47 @@ public class UniqueSubjectNameConstraints extends APolicyRule implements try { // Get the certificate templates - X509CertInfo[] certInfos = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] certInfos = req.getExtDataInCertInfoArray( + IRequest.CERT_INFO); + if (certInfos == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", getInstanceName()), ""); return PolicyResult.REJECTED; } // retrieve the subject name and check its unqiueness for (int i = 0; i < certInfos.length; i++) { - CertificateSubjectName subName = (CertificateSubjectName) certInfos[i] - .get(X509CertInfo.SUBJECT); + CertificateSubjectName subName = (CertificateSubjectName) + certInfos[i].get(X509CertInfo.SUBJECT); // if there is no name set, set one here. if (subName == null) { - setError(req, CMS.getUserMessage( - "CMS_POLICY_NO_SUBJECT_NAME", getInstanceName()), - ""); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUBJECT_NAME", + getInstanceName()), ""); return PolicyResult.REJECTED; } String certSubjectName = subName.toString(); String filter = "x509Cert.subject=" + certSubjectName; // subject name is indexed, so we only use subject name // in the filter - Enumeration matched = mCA.getCertificateRepository() - .findCertRecords(filter); + Enumeration matched = + mCA.getCertificateRepository().findCertRecords(filter); while (matched.hasMoreElements()) { ICertRecord rec = (ICertRecord) matched.nextElement(); String status = rec.getStatus(); - if (status.equals(ICertRecord.STATUS_REVOKED) - || status.equals(ICertRecord.STATUS_EXPIRED) - || status - .equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { - // accept this only if we have a REVOKED, + if (status.equals(ICertRecord.STATUS_REVOKED) || status.equals(ICertRecord.STATUS_EXPIRED) || status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + // accept this only if we have a REVOKED, // EXPIRED or REVOKED_EXPIRED certificate continue; - + } - // you already have an VALID or INVALID (not yet valid) - // certificate + // you already have an VALID or INVALID (not yet valid) certificate if (mKeyUsageExtensionChecking && agentApproved(req)) { - // This request is agent approved which - // means all requested extensions are finalized + // This request is agent approved which + // means all requested extensions are finalized // to the request, // We will accept duplicated subject name with // different keyUsage extension if @@ -215,35 +210,35 @@ public class UniqueSubjectNameConstraints extends APolicyRule implements } } - setError(req, CMS.getUserMessage( - "CMS_POLICY_SUBJECT_NAME_EXIST", getInstanceName() - + " " + certSubjectName), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_NAME_EXIST", + getInstanceName() + " " + certSubjectName), ""); return PolicyResult.REJECTED; } } } catch (Exception e) { - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + params), ""); result = PolicyResult.REJECTED; } return result; } /** - * Checks if the key extension in the issued certificate is the same as the - * one in the certificate template. + * Checks if the key extension in the issued certificate + * is the same as the one in the certificate template. */ - private boolean sameKeyUsageExtension(ICertRecord rec, X509CertInfo certInfo) { + private boolean sameKeyUsageExtension(ICertRecord rec, + X509CertInfo certInfo) { X509CertImpl impl = rec.getCertificate(); boolean bits[] = impl.getKeyUsage(); CertificateExtensions extensions = null; try { - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); } catch (IOException e) { } catch (java.security.cert.CertificateException e) { } @@ -254,8 +249,8 @@ public class UniqueSubjectNameConstraints extends APolicyRule implements return false; } else { try { - ext = (KeyUsageExtension) extensions - .get(KeyUsageExtension.NAME); + ext = (KeyUsageExtension) extensions.get( + KeyUsageExtension.NAME); } catch (IOException e) { // extension isn't there. } @@ -287,25 +282,25 @@ public class UniqueSubjectNameConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement(PROP_PRE_AGENT_APPROVAL_CHECKING + "=" - + mPreAgentApprovalChecking); - confParams.addElement(PROP_KEY_USAGE_EXTENSION_CHECKING + "=" - + mKeyUsageExtensionChecking); + confParams.addElement(PROP_PRE_AGENT_APPROVAL_CHECKING + + "=" + mPreAgentApprovalChecking); + confParams.addElement(PROP_KEY_USAGE_EXTENSION_CHECKING + + "=" + mKeyUsageExtensionChecking); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_PRE_AGENT_APPROVAL_CHECKING + "="); diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java index c82c8b1f..62c49450 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -34,24 +35,26 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * ValidityConstraints is a default rule for Enrollment and Renewal that - * enforces minimum and maximum validity periods and changes them if not met. - * - * Optionally the lead and lag times - i.e how far back into the front or back - * the notBefore date could go in minutes can also be specified. + * ValidityConstraints is a default rule for Enrollment and + * Renewal that enforces minimum and maximum validity periods + * and changes them if not met. + * + * Optionally the lead and lag times - i.e how far back into the + * front or back the notBefore date could go in minutes can also + * be specified. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class ValidityConstraints extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class ValidityConstraints extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected long mMinValidity; protected long mMaxValidity; protected long mLeadTime; @@ -74,29 +77,32 @@ public class ValidityConstraints extends APolicyRule implements private final static Vector defConfParams = new Vector(); static { - defConfParams.addElement(PROP_MIN_VALIDITY + "=" + DEF_MIN_VALIDITY); - defConfParams.addElement(PROP_MAX_VALIDITY + "=" + DEF_MAX_VALIDITY); - defConfParams.addElement(PROP_LEAD_TIME + "=" + DEF_LEAD_TIME); - defConfParams.addElement(PROP_LAG_TIME + "=" + DEF_LAG_TIME); - defConfParams.addElement(PROP_NOT_BEFORE_SKEW + "=" - + DEF_NOT_BEFORE_SKEW); + defConfParams.addElement(PROP_MIN_VALIDITY + "=" + + DEF_MIN_VALIDITY); + defConfParams.addElement(PROP_MAX_VALIDITY + "=" + + DEF_MAX_VALIDITY); + defConfParams.addElement(PROP_LEAD_TIME + "=" + + DEF_LEAD_TIME); + defConfParams.addElement(PROP_LAG_TIME + "=" + + DEF_LAG_TIME); + defConfParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + + DEF_NOT_BEFORE_SKEW); } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { PROP_MIN_VALIDITY + ";number;Minimum Validity time, in days", PROP_MAX_VALIDITY + ";number;Maximum Validity time, in days", - PROP_LEAD_TIME - + ";number;Number of minutes in the future a request's notBefore can be", + PROP_LEAD_TIME + ";number;Number of minutes in the future a request's notBefore can be", PROP_LAG_TIME + ";number;NOT CURRENTLY IN USE", - PROP_NOT_BEFORE_SKEW - + ";number;Number of minutes a cert's notBefore should be in the past", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-validityconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Ensures that the user's requested validity period is " - + "acceptable. If not specified, as is usually the case, " - + "this policy will set the validity. See RFC 2459." }; + PROP_NOT_BEFORE_SKEW + ";number;Number of minutes a cert's notBefore should be in the past", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-validityconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Ensures that the user's requested validity period is " + + "acceptable. If not specified, as is usually the case, " + + "this policy will set the validity. See RFC 2459." + }; return params; @@ -110,19 +116,19 @@ public class ValidityConstraints extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minValidity=30 - * ra.Policy.rule.<ruleName>.maxValidity=180 - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.minValidity=30 + * ra.Policy.rule.<ruleName>.maxValidity=180 + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and configure them. try { @@ -158,18 +164,18 @@ public class ValidityConstraints extends APolicyRule implements mNotBeforeSkew = DEF_NOT_BEFORE_SKEW * MINS_TO_MS_FACTOR; } catch (Exception e) { // e.printStackTrace(); - String[] params = { getInstanceName(), e.toString() }; + String[] params = {getInstanceName(), e.toString()}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_CONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); } } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -178,10 +184,9 @@ public class ValidityConstraints extends APolicyRule implements try { // Get the certificate info from the request - // X509CertInfo certInfo[] = (X509CertInfo[]) - // req.get(IRequest.CERT_INFO); - X509CertInfo certInfo[] = req - .getExtDataInCertInfoArray(IRequest.CERT_INFO); + //X509CertInfo certInfo[] = (X509CertInfo[]) + // req.get(IRequest.CERT_INFO); + X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); // There should be a certificate info set. if (certInfo == null) { @@ -192,67 +197,64 @@ public class ValidityConstraints extends APolicyRule implements // Else check if validity is within the limit for (int i = 0; i < certInfo.length; i++) { - CertificateValidity validity = (CertificateValidity) certInfo[i] - .get(X509CertInfo.VALIDITY); + CertificateValidity validity = (CertificateValidity) + certInfo[i].get(X509CertInfo.VALIDITY); Date notBefore = null, notAfter = null; if (validity != null) { - notBefore = (Date) validity - .get(CertificateValidity.NOT_BEFORE); - notAfter = (Date) validity - .get(CertificateValidity.NOT_AFTER); + notBefore = (Date) + validity.get(CertificateValidity.NOT_BEFORE); + notAfter = (Date) + validity.get(CertificateValidity.NOT_AFTER); } - // If no validity is supplied yet, make one. The default + // If no validity is supplied yet, make one. The default // validity is supposed to pass the following checks, so // bypass further checking. // (date = 0 is hack for serialization) - if (validity == null - || (notBefore.getTime() == 0 && notAfter.getTime() == 0)) { + if (validity == null || + (notBefore.getTime() == 0 && notAfter.getTime() == 0)) { certInfo[i].set(X509CertInfo.VALIDITY, - makeDefaultValidity(req)); + makeDefaultValidity(req)); continue; } Date now = CMS.getCurrentDate(); if (notBefore.getTime() > (now.getTime() + mLeadTime)) { - setError(req, - CMS.getUserMessage("CMS_POLICY_INVALID_BEGIN_TIME", - getInstanceName()), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_INVALID_BEGIN_TIME", + getInstanceName()), ""); result = PolicyResult.REJECTED; } - if ((notAfter.getTime() - notBefore.getTime()) > mMaxValidity) { - String params[] = { - getInstanceName(), - String.valueOf(((notAfter.getTime() - notBefore - .getTime()) / DAYS_TO_MS_FACTOR)), - String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; - - setError(req, CMS.getUserMessage( - "CMS_POLICY_MORE_THAN_MAX_VALIDITY", params), ""); + if ((notAfter.getTime() - notBefore.getTime()) > + mMaxValidity) { + String params[] = {getInstanceName(), + String.valueOf( + ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)), + String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR)}; + + setError(req, CMS.getUserMessage("CMS_POLICY_MORE_THAN_MAX_VALIDITY", params), ""); result = PolicyResult.REJECTED; } - if ((notAfter.getTime() - notBefore.getTime()) < mMinValidity) { - String params[] = { - getInstanceName(), - String.valueOf(((notAfter.getTime() - notBefore - .getTime()) / DAYS_TO_MS_FACTOR)), - String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR) }; - - setError(req, CMS.getUserMessage( - "CMS_POLICY_LESS_THAN_MIN_VALIDITY", params), ""); + if ((notAfter.getTime() - notBefore.getTime()) < + mMinValidity) { + String params[] = {getInstanceName(), + String.valueOf( + ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)), + String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR)}; + + setError(req, CMS.getUserMessage("CMS_POLICY_LESS_THAN_MIN_VALIDITY", params), ""); result = PolicyResult.REJECTED; } } } catch (Exception e) { // e.printStackTrace(); - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + params), ""); result = PolicyResult.REJECTED; } return result; @@ -260,28 +262,28 @@ public class ValidityConstraints extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement(PROP_MIN_VALIDITY + "=" + mMinValidity - / DAYS_TO_MS_FACTOR); - confParams.addElement(PROP_MAX_VALIDITY + "=" + mMaxValidity - / DAYS_TO_MS_FACTOR); - confParams.addElement(PROP_LEAD_TIME + "=" + mLeadTime - / MINS_TO_MS_FACTOR); - confParams.addElement(PROP_LAG_TIME + "=" + mLagTime - / MINS_TO_MS_FACTOR); - confParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + mNotBeforeSkew - / MINS_TO_MS_FACTOR); + confParams.addElement(PROP_MIN_VALIDITY + "=" + + mMinValidity / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_MAX_VALIDITY + "=" + + mMaxValidity / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_LEAD_TIME + "=" + + mLeadTime / MINS_TO_MS_FACTOR); + confParams.addElement(PROP_LAG_TIME + "=" + + mLagTime / MINS_TO_MS_FACTOR); + confParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + + mNotBeforeSkew / MINS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { @@ -290,12 +292,12 @@ public class ValidityConstraints extends APolicyRule implements /** * Create a default validity value for a request - * + * * This code can be easily overridden in a derived class, if the * calculations here aren't accepatble. - * - * TODO: it might be good to base this calculation on the creation time of - * the request. + * + * TODO: it might be good to base this calculation on the creation + * time of the request. */ protected CertificateValidity makeDefaultValidity(IRequest req) { long now = roundTimeToSecond((CMS.getCurrentDate()).getTime()); @@ -309,11 +311,13 @@ public class ValidityConstraints extends APolicyRule implements } /** - * convert a millisecond resolution time into one with 1 second resolution. - * Most times in certificates are storage at 1 second resolution, so its - * better if we deal with things at that level. + * convert a millisecond resolution time into one with 1 second + * resolution. Most times in certificates are storage at 1 + * second resolution, so its better if we deal with things at + * that level. */ protected long roundTimeToSecond(long input) { return (input / 1000) * 1000; } } + |