diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java | 348 |
1 files changed, 186 insertions, 162 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java index 612d2492..cf09af02 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -45,21 +44,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** - * Authority Public Key Extension Policy - * Adds the subject public key id extension to certificates. + * Authority Public Key Extension Policy Adds the subject public key id + * extension to certificates. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class AuthorityKeyIdentifierExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { +public class AuthorityKeyIdentifierExt extends APolicyRule implements + IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_ALT_KEYID_TYPE = "AltKeyIdType"; @@ -77,7 +76,7 @@ public class AuthorityKeyIdentifierExt extends APolicyRule protected boolean mCritical = DEF_CRITICAL; protected String mAltKeyIdType = DEF_ALT_KEYID_TYPE; - // the extension to add to certs. + // the extension to add to certs. protected AuthorityKeyIdentifierExtension mTheExtension = null; // instance params for console @@ -88,7 +87,8 @@ public class AuthorityKeyIdentifierExt extends APolicyRule static { // form static default params. mDefaultParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefaultParams.addElement(PROP_ALT_KEYID_TYPE + "=" + DEF_ALT_KEYID_TYPE); + mDefaultParams.addElement(PROP_ALT_KEYID_TYPE + "=" + + DEF_ALT_KEYID_TYPE); } public AuthorityKeyIdentifierExt() { @@ -97,120 +97,128 @@ public class AuthorityKeyIdentifierExt extends APolicyRule } /** - * Initializes this policy rule. - * Reads configuration file and creates a authority key identifier - * extension to add. Key identifier inside the extension is constructed as - * the CA's subject key identifier extension if it exists. - * If it does not exist this can be configured to use: - * (1) sha-1 hash of the CA's subject public key info - * (what communicator expects if the CA does not have a subject key - * identifier extension) or (2) No extension set (3) Empty sequence - * in Authority Key Identifier extension. - * + * Initializes this policy rule. Reads configuration file and creates a + * authority key identifier extension to add. Key identifier inside the + * extension is constructed as the CA's subject key identifier extension if + * it exists. If it does not exist this can be configured to use: (1) sha-1 + * hash of the CA's subject public key info (what communicator expects if + * the CA does not have a subject key identifier extension) or (2) No + * extension set (3) Empty sequence in Authority Key Identifier extension. + * * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate= - * ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate= ca.Policy.rule.<ruleName>.implName= + * ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - mEnabled = mConfig.getBoolean( - IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); - mAltKeyIdType = mConfig.getString( - PROP_ALT_KEYID_TYPE, DEF_ALT_KEYID_TYPE); + mAltKeyIdType = mConfig.getString(PROP_ALT_KEYID_TYPE, + DEF_ALT_KEYID_TYPE); if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_SPKISHA1)) mAltKeyIdType = ALT_KEYID_TYPE_SPKISHA1; - /* - else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_EMPTY)) - mAltKeyIdType = ALT_KEYID_TYPE_EMPTY; - */ + /* + * else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_EMPTY)) + * mAltKeyIdType = ALT_KEYID_TYPE_EMPTY; + */ else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_NONE)) mAltKeyIdType = ALT_KEYID_TYPE_NONE; else { - log(ILogger.LL_FAILURE, NAME + - CMS.getLogMessage("CA_UNKNOWN_ALT_KEY_ID_TYPE", mAltKeyIdType)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", PROP_ALT_KEYID_TYPE, - "value must be one of " + ALT_KEYID_TYPE_SPKISHA1 + ", " + ALT_KEYID_TYPE_NONE)); + log(ILogger.LL_FAILURE, + NAME + + CMS.getLogMessage("CA_UNKNOWN_ALT_KEY_ID_TYPE", + mAltKeyIdType)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTR_VALUE", PROP_ALT_KEYID_TYPE, + "value must be one of " + ALT_KEYID_TYPE_SPKISHA1 + ", " + + ALT_KEYID_TYPE_NONE)); } // create authority key id extension. - ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) ((IPolicyProcessor) owner) + .getAuthority(); if (certAuthority == null) { // should never get here. - String msg = NAME + ": " + - "Cannot find the Certificate Manager or Registration Manager"; + String msg = NAME + + ": " + + "Cannot find the Certificate Manager or Registration Manager"; log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", msg)); } if (!(certAuthority instanceof ICertificateAuthority)) { - log(ILogger.LL_FAILURE, NAME + - CMS.getLogMessage("POLICY_INVALID_POLICY", NAME)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - NAME + " policy can only be used in a Certificate Authority.")); - } - //CertificateChain caChain = certAuthority.getCACertChain(); - //X509Certificate caCert = caChain.getFirstCertificate(); + log(ILogger.LL_FAILURE, + NAME + CMS.getLogMessage("POLICY_INVALID_POLICY", NAME)); + throw new EBaseException( + CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", + NAME + + " policy can only be used in a Certificate Authority.")); + } + // CertificateChain caChain = certAuthority.getCACertChain(); + // X509Certificate caCert = caChain.getFirstCertificate(); X509CertImpl caCert = certAuthority.getCACert(); - if( caCert == null || CMS.isPreOpMode() ) { + if (caCert == null || CMS.isPreOpMode()) { return; } - KeyIdentifier keyId = formKeyIdentifier(caCert); + KeyIdentifier keyId = formKeyIdentifier(caCert); if (keyId != null) { try { - mTheExtension = new AuthorityKeyIdentifierExtension( - mCritical, keyId, null, null); + mTheExtension = new AuthorityKeyIdentifierExtension(mCritical, + keyId, null, null); } catch (IOException e) { - String msg = NAME + ": " + - "Error forming Authority Key Identifier extension: " + e; - - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); + String msg = NAME + ": " + + "Error forming Authority Key Identifier extension: " + + e; + + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", msg)); } } else { } - // form instance params + // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement(PROP_ALT_KEYID_TYPE + "=" + mAltKeyIdType); } /** - * Adds Authority Key Identifier Extension to a certificate. - * If the extension is already there, accept it if it's from the agent, - * else replace it. - * - * @param req The request on which to apply policy. + * Adds Authority Key Identifier Extension to a certificate. If the + * extension is already there, accept it if it's from the agent, else + * replace it. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { // get certInfo from request. - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); - return PolicyResult.REJECTED; + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), + ""); + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { PolicyResult certResult = applyCert(req, ci[i]); - if (certResult == PolicyResult.REJECTED) + if (certResult == PolicyResult.REJECTED) return certResult; } return PolicyResult.ACCEPTED; @@ -219,135 +227,145 @@ public class AuthorityKeyIdentifierExt extends APolicyRule public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { - // if authority key id extension already exists, leave it if + // if authority key id extension already exists, leave it if // from agent. else replace it. AuthorityKeyIdentifierExtension authorityKeyIdExt = null; - CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { - authorityKeyIdExt = (AuthorityKeyIdentifierExtension) - extensions.get(AuthorityKeyIdentifierExtension.NAME); + authorityKeyIdExt = (AuthorityKeyIdentifierExtension) extensions + .get(AuthorityKeyIdentifierExtension.NAME); } } catch (IOException e) { - // extension isn't there. + // extension isn't there. } if (authorityKeyIdExt != null) { if (agentApproved(req)) { - CMS.debug( - "AuthorityKeyIdentifierKeyExt: agent approved request id " + req.getRequestId() + - " already has authority key id extension with value " + - authorityKeyIdExt); + CMS.debug("AuthorityKeyIdentifierKeyExt: agent approved request id " + + req.getRequestId() + + " already has authority key id extension with value " + + authorityKeyIdExt); return PolicyResult.ACCEPTED; } else { - CMS.debug( - "AuthorityKeyIdentifierKeyExt: request id from user " + req.getRequestId() + - " had authority key identifier - deleted"); + CMS.debug("AuthorityKeyIdentifierKeyExt: request id from user " + + req.getRequestId() + + " had authority key identifier - deleted"); extensions.delete(AuthorityKeyIdentifierExtension.NAME); } } - // if no authority key identifier should be set b/c CA does not - // have a subject key identifier, return here. - if (mTheExtension == null) + // if no authority key identifier should be set b/c CA does not + // have a subject key identifier, return here. + if (mTheExtension == null) return PolicyResult.ACCEPTED; - // add authority key id extension. + // add authority key id extension. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, new CertificateVersion( + CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } - extensions.set( - AuthorityKeyIdentifierExtension.NAME, mTheExtension); - CMS.debug( - "AuthorityKeyIdentifierKeyExt: added authority key id ext to request " + req.getRequestId()); + extensions.set(AuthorityKeyIdentifierExtension.NAME, mTheExtension); + CMS.debug("AuthorityKeyIdentifierKeyExt: added authority key id ext to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.toString())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", - NAME, e.getMessage()), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, + e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + NAME, e.getMessage()), ""); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_CERT", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", - NAME, "Certificate Info Error"), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INVALID_CERT", e.getMessage())); + setError(req, CMS.getUserMessage( + "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, + "Certificate Info Error"), ""); return PolicyResult.REJECTED; } } /** - * Form the Key Identifier in the Authority Key Identifier extension. - * from the CA's cert. + * Form the Key Identifier in the Authority Key Identifier extension. from + * the CA's cert. * <p> + * * @param caCertImpl Certificate Info * @return A Key Identifier. * @throws com.netscape.certsrv.base.EBaseException on error */ protected KeyIdentifier formKeyIdentifier(X509CertImpl caCertImpl) - throws EBaseException { + throws EBaseException { KeyIdentifier keyId = null; // get CA's certInfo. X509CertInfo certInfo = null; try { - certInfo = (X509CertInfo) caCertImpl.get( - X509CertImpl.NAME + "." + X509CertImpl.INFO); - if (certInfo == null) { - String msg = "Bad CA certificate encountered. " + - "TBS Certificate missing."; - - log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_CERT_FORMAT")); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", NAME + ": " + msg)); + certInfo = (X509CertInfo) caCertImpl.get(X509CertImpl.NAME + "." + + X509CertImpl.INFO); + if (certInfo == null) { + String msg = "Bad CA certificate encountered. " + + "TBS Certificate missing."; + + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INVALID_CERT_FORMAT")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", NAME + ": " + msg)); } } catch (CertificateException e) { - log(ILogger.LL_FAILURE, NAME + ": " + - CMS.getLogMessage("BASE_DECODE_CERT_FAILED_1", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - NAME + " Error decoding the CA Certificate: " + e)); + log(ILogger.LL_FAILURE, + NAME + + ": " + + CMS.getLogMessage("BASE_DECODE_CERT_FAILED_1", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", NAME + + " Error decoding the CA Certificate: " + e)); } // get Key Id from CA's Subject Key Id extension in CA's CertInfo. keyId = getKeyIdentifier(certInfo); - if (keyId != null) + if (keyId != null) return keyId; - // if none exists use the configured alternate. + // if none exists use the configured alternate. if (mAltKeyIdType == ALT_KEYID_TYPE_SPKISHA1) { keyId = formSpkiSHA1KeyId(certInfo); } /* - else if (mAltKeyIdType == ALT_KEYID_TYPE_EMPTY) { - keyId = formEmptyKeyId(certInfo); - } - */ else if (mAltKeyIdType == ALT_KEYID_TYPE_NONE) { + * else if (mAltKeyIdType == ALT_KEYID_TYPE_EMPTY) { keyId = + * formEmptyKeyId(certInfo); } + */else if (mAltKeyIdType == ALT_KEYID_TYPE_NONE) { keyId = null; } else { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - mAltKeyIdType, - "Unknown Alternate Key Identifier type.")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTR_VALUE", mAltKeyIdType, + "Unknown Alternate Key Identifier type.")); } return keyId; } /** - * Get the Key Identifier in a subject key identifier extension from a + * Get the Key Identifier in a subject key identifier extension from a * CertInfo. + * * @param certInfo the CertInfo structure. * @return Key Identifier in a Subject Key Identifier extension if any. */ - protected KeyIdentifier getKeyIdentifier(X509CertInfo certInfo) - throws EBaseException { + protected KeyIdentifier getKeyIdentifier(X509CertInfo certInfo) + throws EBaseException { CertificateExtensions exts = null; SubjectKeyIdentifierExtension subjKeyIdExt = null; KeyIdentifier keyId = null; try { - exts = (CertificateExtensions) certInfo.get(X509CertInfo.EXTENSIONS); + exts = (CertificateExtensions) certInfo + .get(X509CertInfo.EXTENSIONS); } catch (IOException e) { // extension isn't there. CMS.debug(NAME + ": " + "No extensions found. Error " + e); @@ -357,71 +375,77 @@ public class AuthorityKeyIdentifierExt extends APolicyRule CMS.debug(NAME + ": " + "No extensions found. Error " + e); return null; } - if (exts == null) + if (exts == null) return null; try { - subjKeyIdExt = (SubjectKeyIdentifierExtension) - exts.get(SubjectKeyIdentifierExtension.NAME); + subjKeyIdExt = (SubjectKeyIdentifierExtension) exts + .get(SubjectKeyIdentifierExtension.NAME); } catch (IOException e) { // extension isn't there. - CMS.debug( - "AuthorityKeyIdentifierKeyExt: No Subject Key Identifier Extension found. Error: " + e); + CMS.debug("AuthorityKeyIdentifierKeyExt: No Subject Key Identifier Extension found. Error: " + + e); return null; } if (subjKeyIdExt == null) return null; try { - keyId = (KeyIdentifier) subjKeyIdExt.get( - SubjectKeyIdentifierExtension.KEY_ID); + keyId = (KeyIdentifier) subjKeyIdExt + .get(SubjectKeyIdentifierExtension.KEY_ID); } catch (IOException e) { - // no key identifier in subject key id extension. - String msg = NAME + ": " + - "Bad Subject Key Identifier Extension found. Error: " + e; - - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); + // no key identifier in subject key id extension. + String msg = NAME + ": " + + "Bad Subject Key Identifier Extension found. Error: " + e; + + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", msg)); } return keyId; } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefaultParams; } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL + ";boolean;" + - "RFC 2459 recommendation: MUST NOT be marked critical.", - PROP_ALT_KEYID_TYPE + ";" + - "choice(" + ALT_KEYID_TYPE_SPKISHA1 + "," + ALT_KEYID_TYPE_NONE + ");" + - "Specifies whether to use a SHA1 hash of the CA's subject " + - "public key info for key identifier or leave out the " + - "authority key identifier extension if the CA certificate " + - "does not have a Subject Key Identifier extension.", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-authkeyid", - IExtendedPluginInfo.HELP_TEXT + - ";Adds Authority Key Identifier Extension. " + - "See RFC 2459 (4.2.1.1)" - }; + PROP_CRITICAL + + ";boolean;" + + "RFC 2459 recommendation: MUST NOT be marked critical.", + PROP_ALT_KEYID_TYPE + + ";" + + "choice(" + + ALT_KEYID_TYPE_SPKISHA1 + + "," + + ALT_KEYID_TYPE_NONE + + ");" + + "Specifies whether to use a SHA1 hash of the CA's subject " + + "public key info for key identifier or leave out the " + + "authority key identifier extension if the CA certificate " + + "does not have a Subject Key Identifier extension.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-authkeyid", + IExtendedPluginInfo.HELP_TEXT + + ";Adds Authority Key Identifier Extension. " + + "See RFC 2459 (4.2.1.1)" }; return params; } } - |