summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java206
1 files changed, 98 insertions, 108 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java
index 717c19f7..733b7525 100644
--- a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java
+++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.policy.extensions;
-
import java.io.IOException;
import java.security.cert.CertificateException;
import java.util.Locale;
@@ -40,31 +39,28 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.PolicyResult;
import com.netscape.cms.policy.APolicyRule;
-
/**
- * Policy Constraints Extension Policy
- * Adds the policy constraints extension to (CA) certificates.
- * Filtering of CA certificates is done through predicates.
+ * Policy Constraints Extension Policy Adds the policy constraints extension to
+ * (CA) certificates. Filtering of CA certificates is done through predicates.
* <P>
+ *
* <PRE>
* NOTE: The Policy Framework has been replaced by the Profile Framework.
* </PRE>
* <P>
- *
+ *
* @deprecated
* @version $Revision$, $Date$
*/
-public class PolicyConstraintsExt extends APolicyRule
- implements IEnrollmentPolicy, IExtendedPluginInfo {
+public class PolicyConstraintsExt extends APolicyRule implements
+ IEnrollmentPolicy, IExtendedPluginInfo {
protected static final String PROP_CRITICAL = "critical";
- protected static final String
- PROP_REQ_EXPLICIT_POLICY = "reqExplicitPolicy";
- protected static final String
- PROP_INHIBIT_POLICY_MAPPING = "inhibitPolicyMapping";
+ protected static final String PROP_REQ_EXPLICIT_POLICY = "reqExplicitPolicy";
+ protected static final String PROP_INHIBIT_POLICY_MAPPING = "inhibitPolicyMapping";
protected static final boolean DEF_CRITICAL = false;
- protected static final int DEF_REQ_EXPLICIT_POLICY = -1; // not set
- protected static final int DEF_INHIBIT_POLICY_MAPPING = -1; // not set
+ protected static final int DEF_REQ_EXPLICIT_POLICY = -1; // not set
+ protected static final int DEF_INHIBIT_POLICY_MAPPING = -1; // not set
protected boolean mEnabled = false;
protected IConfigStore mConfig = null;
@@ -79,10 +75,10 @@ public class PolicyConstraintsExt extends APolicyRule
protected static Vector mDefaultParams = new Vector();
static {
mDefaultParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL);
- mDefaultParams.addElement(
- PROP_REQ_EXPLICIT_POLICY + "=" + DEF_REQ_EXPLICIT_POLICY);
- mDefaultParams.addElement(
- PROP_INHIBIT_POLICY_MAPPING + "=" + DEF_INHIBIT_POLICY_MAPPING);
+ mDefaultParams.addElement(PROP_REQ_EXPLICIT_POLICY + "="
+ + DEF_REQ_EXPLICIT_POLICY);
+ mDefaultParams.addElement(PROP_INHIBIT_POLICY_MAPPING + "="
+ + DEF_INHIBIT_POLICY_MAPPING);
}
public PolicyConstraintsExt() {
@@ -93,100 +89,90 @@ public class PolicyConstraintsExt extends APolicyRule
/**
* Initializes this policy rule.
* <P>
- *
+ *
* The entries may be of the form:
- *
- * ca.Policy.rule.<ruleName>.predicate=certType==ca
- * ca.Policy.rule.<ruleName>.implName=
- * ca.Policy.rule.<ruleName>.enable=true
- *
- * @param config The config store reference
+ *
+ * ca.Policy.rule.<ruleName>.predicate=certType==ca
+ * ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true
+ *
+ * @param config The config store reference
*/
public void init(ISubsystem owner, IConfigStore config)
- throws EBaseException {
+ throws EBaseException {
mConfig = config;
- // XXX should do do this ?
- // if CA does not allow subordinate CAs by way of basic constraints,
- // this policy always rejects
+ // XXX should do do this ?
+ // if CA does not allow subordinate CAs by way of basic constraints,
+ // this policy always rejects
/*****
- ICertAuthority certAuthority = (ICertAuthority)
- ((GenericPolicyProcessor)owner).mAuthority;
- if (certAuthority instanceof ICertificateAuthority) {
- CertificateChain caChain = certAuthority.getCACertChain();
- X509Certificate caCert = null;
- // Note that in RA the chain could be null if CA was not up when
- // RA was started. In that case just set the length to -1 and let
- // CA reject if it does not allow any subordinate CA certs.
- if (caChain != null) {
- caCert = caChain.getFirstCertificate();
- if (caCert != null)
- mCAPathLen = caCert.getBasicConstraints();
- }
- }
+ * ICertAuthority certAuthority = (ICertAuthority)
+ * ((GenericPolicyProcessor)owner).mAuthority; if (certAuthority
+ * instanceof ICertificateAuthority) { CertificateChain caChain =
+ * certAuthority.getCACertChain(); X509Certificate caCert = null; //
+ * Note that in RA the chain could be null if CA was not up when // RA
+ * was started. In that case just set the length to -1 and let // CA
+ * reject if it does not allow any subordinate CA certs. if (caChain !=
+ * null) { caCert = caChain.getFirstCertificate(); if (caCert != null)
+ * mCAPathLen = caCert.getBasicConstraints(); } }
****/
- mEnabled = mConfig.getBoolean(
- IPolicyProcessor.PROP_ENABLE, false);
+ mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false);
mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL);
- mReqExplicitPolicy = mConfig.getInteger(
- PROP_REQ_EXPLICIT_POLICY, DEF_REQ_EXPLICIT_POLICY);
- mInhibitPolicyMapping = mConfig.getInteger(
- PROP_INHIBIT_POLICY_MAPPING, DEF_INHIBIT_POLICY_MAPPING);
+ mReqExplicitPolicy = mConfig.getInteger(PROP_REQ_EXPLICIT_POLICY,
+ DEF_REQ_EXPLICIT_POLICY);
+ mInhibitPolicyMapping = mConfig.getInteger(PROP_INHIBIT_POLICY_MAPPING,
+ DEF_INHIBIT_POLICY_MAPPING);
- if (mReqExplicitPolicy < -1)
+ if (mReqExplicitPolicy < -1)
mReqExplicitPolicy = -1;
- if (mInhibitPolicyMapping < -1)
+ if (mInhibitPolicyMapping < -1)
mInhibitPolicyMapping = -1;
-
- // create instance of policy constraings extension
+
+ // create instance of policy constraings extension
try {
- mPolicyConstraintsExtension =
- new PolicyConstraintsExtension(mCritical,
- mReqExplicitPolicy, mInhibitPolicyMapping);
- CMS.debug(
- "PolicyConstraintsExt: Created Policy Constraints Extension: " +
- mPolicyConstraintsExtension);
+ mPolicyConstraintsExtension = new PolicyConstraintsExtension(
+ mCritical, mReqExplicitPolicy, mInhibitPolicyMapping);
+ CMS.debug("PolicyConstraintsExt: Created Policy Constraints Extension: "
+ + mPolicyConstraintsExtension);
} catch (IOException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT", e.toString()));
- throw new EBaseException(
- CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
- "Could not init Policy Constraints Extension. Error: " + e));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage(
+ "POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT", e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INTERNAL_ERROR",
+ "Could not init Policy Constraints Extension. Error: " + e));
}
- // form instance params
+ // form instance params
mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
- mInstanceParams.addElement(
- PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy);
- mInstanceParams.addElement(
- PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping);
+ mInstanceParams.addElement(PROP_REQ_EXPLICIT_POLICY + "="
+ + mReqExplicitPolicy);
+ mInstanceParams.addElement(PROP_INHIBIT_POLICY_MAPPING + "="
+ + mInhibitPolicyMapping);
}
/**
* Adds Policy Constraints Extension to a (CA) certificate.
*
- * If a Policy constraints Extension is already there, accept it if
- * it's been approved by agent, else replace it.
- *
- * @param req The request on which to apply policy.
+ * If a Policy constraints Extension is already there, accept it if it's
+ * been approved by agent, else replace it.
+ *
+ * @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
- // if extension hasn't been properly configured reject requests until
+ // if extension hasn't been properly configured reject requests until
// it has been resolved (or disabled).
if (mPolicyConstraintsExtension == null) {
return PolicyResult.ACCEPTED;
}
// get certInfo from request.
- X509CertInfo[] ci =
- req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
if (ci == null || ci[0] == null) {
setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME);
- return PolicyResult.REJECTED;
+ return PolicyResult.REJECTED;
}
for (int i = 0; i < ci.length; i++) {
@@ -205,16 +191,16 @@ public class PolicyConstraintsExt extends APolicyRule
// else ignore.
try {
PolicyConstraintsExtension policyConstraintsExt = null;
- CertificateExtensions extensions = (CertificateExtensions)
- certInfo.get(X509CertInfo.EXTENSIONS);
+ CertificateExtensions extensions = (CertificateExtensions) certInfo
+ .get(X509CertInfo.EXTENSIONS);
try {
if (extensions != null) {
- policyConstraintsExt = (PolicyConstraintsExtension)
- extensions.get(PolicyConstraintsExtension.NAME);
+ policyConstraintsExt = (PolicyConstraintsExtension) extensions
+ .get(PolicyConstraintsExtension.NAME);
}
} catch (IOException e) {
- // extension isn't there.
+ // extension isn't there.
}
if (policyConstraintsExt != null) {
@@ -226,65 +212,69 @@ public class PolicyConstraintsExt extends APolicyRule
}
if (extensions == null) {
- certInfo.set(X509CertInfo.VERSION,
- new CertificateVersion(CertificateVersion.V3));
+ certInfo.set(X509CertInfo.VERSION, new CertificateVersion(
+ CertificateVersion.V3));
extensions = new CertificateExtensions();
certInfo.set(X509CertInfo.EXTENSIONS, extensions);
}
- extensions.set(
- "PolicyConstriantsExt", mPolicyConstraintsExtension);
+ extensions.set("PolicyConstriantsExt", mPolicyConstraintsExtension);
CMS.debug("PolicyConstraintsExt: added our policy constraints extension");
return PolicyResult.ACCEPTED;
} catch (IOException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT", e.toString()));
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
- NAME, e.getMessage());
+ log(ILogger.LL_FAILURE, CMS.getLogMessage(
+ "POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT", e.toString()));
+ setError(req,
+ CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+ NAME, e.getMessage());
return PolicyResult.REJECTED;
} catch (CertificateException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString()));
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
- NAME, "Certificate Info Error");
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString()));
+ setError(req,
+ CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"),
+ NAME, "Certificate Info Error");
return PolicyResult.REJECTED;
}
}
/**
* Return configured parameters for a policy rule instance.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector getInstanceParams() {
+ public Vector getInstanceParams() {
return mInstanceParams;
}
/**
* Return default parameters for a policy implementation.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
- public Vector getDefaultParams() {
+ public Vector getDefaultParams() {
return mDefaultParams;
}
/**
- * gets plugin info for pretty console edit displays.
+ * gets plugin info for pretty console edit displays.
*/
public String[] getExtendedPluginInfo(Locale locale) {
mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical);
- mInstanceParams.addElement(
- PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy);
- mInstanceParams.addElement(
- PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping);
+ mInstanceParams.addElement(PROP_REQ_EXPLICIT_POLICY + "="
+ + mReqExplicitPolicy);
+ mInstanceParams.addElement(PROP_INHIBIT_POLICY_MAPPING + "="
+ + mInhibitPolicyMapping);
String[] params = {
- PROP_CRITICAL + ";boolean;RFC 2459 recommendation: may be critical or non-critical.",
- PROP_REQ_EXPLICIT_POLICY + ";integer;Number of addional certificates that may appear in the path before an explicit policy is required. If less than 0 this field is unset in the extension.",
- PROP_INHIBIT_POLICY_MAPPING + ";integer;Number of addional certificates that may appear in the path before policy mapping is no longer permitted. If less than 0 this field is unset in the extension.",
- IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-policyconstraints"
- };
+ PROP_CRITICAL
+ + ";boolean;RFC 2459 recommendation: may be critical or non-critical.",
+ PROP_REQ_EXPLICIT_POLICY
+ + ";integer;Number of addional certificates that may appear in the path before an explicit policy is required. If less than 0 this field is unset in the extension.",
+ PROP_INHIBIT_POLICY_MAPPING
+ + ";integer;Number of addional certificates that may appear in the path before policy mapping is no longer permitted. If less than 0 this field is unset in the extension.",
+ IExtendedPluginInfo.HELP_TOKEN
+ + ";configuration-policyrules-policyconstraints" };
return params;
}
}
-
generated by cgit (git 2.34.1) at 2024-05-05 14:05:07 +0000