diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java | 136 |
1 files changed, 66 insertions, 70 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java index 4e9ef825..0988a636 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; - import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -44,25 +43,25 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** - * Policy to add Key Usage Extension. - * Adds the key usage extension based on what's requested. + * Policy to add Key Usage Extension. Adds the key usage extension based on + * what's requested. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ public class KeyUsageExt extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { + implements IEnrollmentPolicy, IExtendedPluginInfo { private final static String HTTP_INPUT = "HTTP_INPUT"; - protected static final boolean[] DEF_BITS = - new boolean[KeyUsageExtension.NBITS]; + protected static final boolean[] DEF_BITS = + new boolean[KeyUsageExtension.NBITS]; protected int mCAPathLen = -1; protected IConfigStore mConfig = null; protected static final String PROP_CRITICAL = "critical"; @@ -97,25 +96,24 @@ public class KeyUsageExt extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=KeyUsageExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>. - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=KeyUsageExt + * ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>. + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; ICertAuthority certAuthority = (ICertAuthority) - ((IPolicyProcessor) owner).getAuthority(); + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", "Cannot find the Certificate Manager or Registration Manager")); } @@ -123,9 +121,9 @@ public class KeyUsageExt extends APolicyRule CertificateChain caChain = certAuthority.getCACertChain(); X509Certificate caCert = null; - // Note that in RA the chain could be null if CA was not up when - // RA was started. In that case just set the length to -1 and let - // CA reject if it does not allow any subordinate CA certs. + // Note that in RA the chain could be null if CA was not up when + // RA was started. In that case just set the length to -1 and let + // CA reject if it does not allow any subordinate CA certs. if (caChain != null) { caCert = caChain.getFirstCertificate(); mCAPathLen = caCert.getBasicConstraints(); @@ -145,30 +143,29 @@ public class KeyUsageExt extends APolicyRule } /** - * Adds the key usage extension if not set already. - * (CRMF, agent, authentication (currently) or PKCS#10 (future) - * or RA could have set the extension.) - * If not set, set from http input parameters or use default if + * Adds the key usage extension if not set already. (CRMF, agent, + * authentication (currently) or PKCS#10 (future) or RA could have set the + * extension.) If not set, set from http input parameters or use default if * no http input parameters are set. * - * Note: this allows any bits requested - does not check if user - * authenticated is allowed to have a Key Usage Extension with - * those bits. Unless the CA's certificate path length is 0, then - * we do not allow CA sign or CRL sign bits in any request. + * Note: this allows any bits requested - does not check if user + * authenticated is allowed to have a Key Usage Extension with those bits. + * Unless the CA's certificate path length is 0, then we do not allow CA + * sign or CRL sign bits in any request. * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; - X509CertInfo[] ci = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -184,7 +181,7 @@ public class KeyUsageExt extends APolicyRule public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { CertificateExtensions extensions = (CertificateExtensions) - certInfo.get(X509CertInfo.EXTENSIONS); + certInfo.get(X509CertInfo.EXTENSIONS); KeyUsageExtension ext = null; if (extensions != null) { @@ -195,7 +192,7 @@ public class KeyUsageExt extends APolicyRule // extension isn't there. ext = null; } - // check if CA does not allow subordinate CA certs. + // check if CA does not allow subordinate CA certs. // otherwise accept existing key usage extension. if (ext != null) { if (mCAPathLen == 0) { @@ -203,11 +200,11 @@ public class KeyUsageExt extends APolicyRule if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT && bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) || - (bits.length > KeyUsageExtension.CRL_SIGN_BIT && + (bits.length > KeyUsageExtension.CRL_SIGN_BIT && bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) { - setError(req, - CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), - NAME); + setError(req, + CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), + NAME); return PolicyResult.REJECTED; } } @@ -216,8 +213,8 @@ public class KeyUsageExt extends APolicyRule } else { // create extensions set if none. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, - new CertificateVersion(CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } @@ -225,41 +222,41 @@ public class KeyUsageExt extends APolicyRule boolean[] bits = new boolean[KeyUsageExtension.NBITS]; - bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature", - mDigitalSignature, req); - bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation", + bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature", + mDigitalSignature, req); + bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation", mNonRepudiation, req); - bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment", + bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment", mKeyEncipherment, req); - bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment", + bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment", mDataEncipherment, req); - bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement", - mKeyAgreement, req); - bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign", + bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement", + mKeyAgreement, req); + bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign", mKeyCertsign, req); bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, req); bits[KeyUsageExtension.ENCIPHER_ONLY_BIT] = getBit("encipher_only", mEncipherOnly, req); - bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only", + bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only", mDecipherOnly, req); - - // don't allow no bits set or the extension does not + + // don't allow no bits set or the extension does not // encode/decode properlly. boolean bitset = false; for (int i = 0; i < bits.length; i++) { if (bits[i]) { - bitset = true; + bitset = true; break; } } if (!bitset) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME)); setError(req, CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"), - NAME); + NAME); return PolicyResult.REJECTED; } - + // create the extension. try { mKeyUsage = new KeyUsageExtension(mCritical, bits); @@ -269,23 +266,23 @@ public class KeyUsageExt extends APolicyRule return PolicyResult.ACCEPTED; } catch (IOException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector<String> getInstanceParams() { + public Vector<String> getInstanceParams() { Vector<String> params = new Vector<String>(); params.addElement(PROP_CRITICAL + "=" + mCritical); @@ -328,21 +325,21 @@ public class KeyUsageExt extends APolicyRule PROP_ENCIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", PROP_DECIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-keyusage", + ";configuration-policyrules-keyusage", IExtendedPluginInfo.HELP_TEXT + - ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)" + ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)" - }; + }; return params; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector<String> getDefaultParams() { + public Vector<String> getDefaultParams() { return mDefParams; } @@ -355,4 +352,3 @@ public class KeyUsageExt extends APolicyRule return Boolean.valueOf(choice).booleanValue(); } } - |