summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java136
1 files changed, 66 insertions, 70 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java
index 4e9ef825..0988a636 100644
--- a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java
+++ b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.policy.extensions;
-
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
@@ -44,25 +43,25 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.PolicyResult;
import com.netscape.cms.policy.APolicyRule;
-
/**
- * Policy to add Key Usage Extension.
- * Adds the key usage extension based on what's requested.
+ * Policy to add Key Usage Extension. Adds the key usage extension based on
+ * what's requested.
* <P>
+ *
* <PRE>
* NOTE: The Policy Framework has been replaced by the Profile Framework.
* </PRE>
* <P>
- *
+ *
* @deprecated
* @version $Revision$, $Date$
*/
public class KeyUsageExt extends APolicyRule
- implements IEnrollmentPolicy, IExtendedPluginInfo {
+ implements IEnrollmentPolicy, IExtendedPluginInfo {
private final static String HTTP_INPUT = "HTTP_INPUT";
- protected static final boolean[] DEF_BITS =
- new boolean[KeyUsageExtension.NBITS];
+ protected static final boolean[] DEF_BITS =
+ new boolean[KeyUsageExtension.NBITS];
protected int mCAPathLen = -1;
protected IConfigStore mConfig = null;
protected static final String PROP_CRITICAL = "critical";
@@ -97,25 +96,24 @@ public class KeyUsageExt extends APolicyRule
/**
* Initializes this policy rule.
* <P>
- *
+ *
* The entries may be of the form:
- *
- * ca.Policy.rule.<ruleName>.implName=KeyUsageExt
- * ca.Policy.rule.<ruleName>.enable=true
- * ca.Policy.rule.<ruleName>.
- *
- * @param config The config store reference
+ *
+ * ca.Policy.rule.<ruleName>.implName=KeyUsageExt
+ * ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>.
+ *
+ * @param config The config store reference
*/
public void init(ISubsystem owner, IConfigStore config)
- throws EBaseException {
+ throws EBaseException {
mConfig = config;
ICertAuthority certAuthority = (ICertAuthority)
- ((IPolicyProcessor) owner).getAuthority();
+ ((IPolicyProcessor) owner).getAuthority();
if (certAuthority == null) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER"));
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
"Cannot find the Certificate Manager or Registration Manager"));
}
@@ -123,9 +121,9 @@ public class KeyUsageExt extends APolicyRule
CertificateChain caChain = certAuthority.getCACertChain();
X509Certificate caCert = null;
- // Note that in RA the chain could be null if CA was not up when
- // RA was started. In that case just set the length to -1 and let
- // CA reject if it does not allow any subordinate CA certs.
+ // Note that in RA the chain could be null if CA was not up when
+ // RA was started. In that case just set the length to -1 and let
+ // CA reject if it does not allow any subordinate CA certs.
if (caChain != null) {
caCert = caChain.getFirstCertificate();
mCAPathLen = caCert.getBasicConstraints();
@@ -145,30 +143,29 @@ public class KeyUsageExt extends APolicyRule
}
/**
- * Adds the key usage extension if not set already.
- * (CRMF, agent, authentication (currently) or PKCS#10 (future)
- * or RA could have set the extension.)
- * If not set, set from http input parameters or use default if
+ * Adds the key usage extension if not set already. (CRMF, agent,
+ * authentication (currently) or PKCS#10 (future) or RA could have set the
+ * extension.) If not set, set from http input parameters or use default if
* no http input parameters are set.
*
- * Note: this allows any bits requested - does not check if user
- * authenticated is allowed to have a Key Usage Extension with
- * those bits. Unless the CA's certificate path length is 0, then
- * we do not allow CA sign or CRL sign bits in any request.
+ * Note: this allows any bits requested - does not check if user
+ * authenticated is allowed to have a Key Usage Extension with those bits.
+ * Unless the CA's certificate path length is 0, then we do not allow CA
+ * sign or CRL sign bits in any request.
*
* <P>
- *
- * @param req The request on which to apply policy.
+ *
+ * @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
PolicyResult res = PolicyResult.ACCEPTED;
- X509CertInfo[] ci =
- req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ X509CertInfo[] ci =
+ req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
if (ci == null || ci[0] == null) {
- setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
+ setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
return PolicyResult.REJECTED; // unrecoverable error.
}
@@ -184,7 +181,7 @@ public class KeyUsageExt extends APolicyRule
public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) {
try {
CertificateExtensions extensions = (CertificateExtensions)
- certInfo.get(X509CertInfo.EXTENSIONS);
+ certInfo.get(X509CertInfo.EXTENSIONS);
KeyUsageExtension ext = null;
if (extensions != null) {
@@ -195,7 +192,7 @@ public class KeyUsageExt extends APolicyRule
// extension isn't there.
ext = null;
}
- // check if CA does not allow subordinate CA certs.
+ // check if CA does not allow subordinate CA certs.
// otherwise accept existing key usage extension.
if (ext != null) {
if (mCAPathLen == 0) {
@@ -203,11 +200,11 @@ public class KeyUsageExt extends APolicyRule
if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT &&
bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) ||
- (bits.length > KeyUsageExtension.CRL_SIGN_BIT &&
+ (bits.length > KeyUsageExtension.CRL_SIGN_BIT &&
bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) {
- setError(req,
- CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"),
- NAME);
+ setError(req,
+ CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"),
+ NAME);
return PolicyResult.REJECTED;
}
}
@@ -216,8 +213,8 @@ public class KeyUsageExt extends APolicyRule
} else {
// create extensions set if none.
if (extensions == null) {
- certInfo.set(X509CertInfo.VERSION,
- new CertificateVersion(CertificateVersion.V3));
+ certInfo.set(X509CertInfo.VERSION,
+ new CertificateVersion(CertificateVersion.V3));
extensions = new CertificateExtensions();
certInfo.set(X509CertInfo.EXTENSIONS, extensions);
}
@@ -225,41 +222,41 @@ public class KeyUsageExt extends APolicyRule
boolean[] bits = new boolean[KeyUsageExtension.NBITS];
- bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature",
- mDigitalSignature, req);
- bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation",
+ bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature",
+ mDigitalSignature, req);
+ bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation",
mNonRepudiation, req);
- bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment",
+ bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment",
mKeyEncipherment, req);
- bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment",
+ bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment",
mDataEncipherment, req);
- bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement",
- mKeyAgreement, req);
- bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign",
+ bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement",
+ mKeyAgreement, req);
+ bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign",
mKeyCertsign, req);
bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, req);
bits[KeyUsageExtension.ENCIPHER_ONLY_BIT] = getBit("encipher_only",
mEncipherOnly, req);
- bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only",
+ bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only",
mDecipherOnly, req);
-
- // don't allow no bits set or the extension does not
+
+ // don't allow no bits set or the extension does not
// encode/decode properlly.
boolean bitset = false;
for (int i = 0; i < bits.length; i++) {
if (bits[i]) {
- bitset = true;
+ bitset = true;
break;
}
}
if (!bitset) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME));
setError(req, CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"),
- NAME);
+ NAME);
return PolicyResult.REJECTED;
}
-
+
// create the extension.
try {
mKeyUsage = new KeyUsageExtension(mCritical, bits);
@@ -269,23 +266,23 @@ public class KeyUsageExt extends APolicyRule
return PolicyResult.ACCEPTED;
} catch (IOException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage()));
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
- NAME, e.getMessage());
+ setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+ NAME, e.getMessage());
return PolicyResult.REJECTED; // unrecoverable error.
} catch (CertificateException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage()));
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
- NAME, "Certificate Info Error");
+ setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+ NAME, "Certificate Info Error");
return PolicyResult.REJECTED; // unrecoverable error.
}
}
/**
* Return configured parameters for a policy rule instance.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector<String> getInstanceParams() {
+ public Vector<String> getInstanceParams() {
Vector<String> params = new Vector<String>();
params.addElement(PROP_CRITICAL + "=" + mCritical);
@@ -328,21 +325,21 @@ public class KeyUsageExt extends APolicyRule
PROP_ENCIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
PROP_DECIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input",
IExtendedPluginInfo.HELP_TOKEN +
- ";configuration-policyrules-keyusage",
+ ";configuration-policyrules-keyusage",
IExtendedPluginInfo.HELP_TEXT +
- ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)"
+ ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)"
- };
+ };
return params;
}
-
+
/**
* Return default parameters for a policy implementation.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector<String> getDefaultParams() {
+ public Vector<String> getDefaultParams() {
return mDefParams;
}
@@ -355,4 +352,3 @@ public class KeyUsageExt extends APolicyRule
return Boolean.valueOf(choice).booleanValue();
}
}
-
generated by cgit (git 2.34.1) at 2024-06-21 19:58:48 +0000