diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/extensions')
24 files changed, 2460 insertions, 2706 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java index 25af7298..b641d91e 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthInfoAccessExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -42,45 +43,57 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Authority Information Access extension policy. If this policy is enabled, it - * adds an authority information access extension to the certificate. - * + * Authority Information Access extension policy. + * If this policy is enabled, it adds an authority + * information access extension to the certificate. + * * The following listed sample configuration parameters: * - * ca.Policy.impl.AuthInfoAccess.class=com.netscape.certsrv.policy. - * AuthInfoAccessExt + * ca.Policy.impl.AuthInfoAccess.class=com.netscape.certsrv.policy.AuthInfoAccessExt * ca.Policy.rule.aia.ad0_location=uriName:http://ocsp1.netscape.com - * ca.Policy.rule.aia.ad0_method=ocsp ca.Policy.rule.aia.ad1_location_type=URI + * ca.Policy.rule.aia.ad0_method=ocsp + * ca.Policy.rule.aia.ad1_location_type=URI * ca.Policy.rule.aia.ad1_location=http://ocsp2.netscape.com - * ca.Policy.rule.aia.ad1_method=ocsp ca.Policy.rule.aia.ad2_location= - * ca.Policy.rule.aia.ad2_method= ca.Policy.rule.aia.ad3_location= - * ca.Policy.rule.aia.ad3_method= ca.Policy.rule.aia.ad4_location= - * ca.Policy.rule.aia.ad4_method= ca.Policy.rule.aia.critical=true - * ca.Policy.rule.aia.enable=true ca.Policy.rule.aia.implName=AuthInfoAccess + * ca.Policy.rule.aia.ad1_method=ocsp + * ca.Policy.rule.aia.ad2_location= + * ca.Policy.rule.aia.ad2_method= + * ca.Policy.rule.aia.ad3_location= + * ca.Policy.rule.aia.ad3_method= + * ca.Policy.rule.aia.ad4_location= + * ca.Policy.rule.aia.ad4_method= + * ca.Policy.rule.aia.critical=true + * ca.Policy.rule.aia.enable=true + * ca.Policy.rule.aia.implName=AuthInfoAccess * ca.Policy.rule.aia.predicate= - * - * Currently, this policy only supports the following location: uriName:[URI], - * dirName:[DN] + * + * Currently, this policy only supports the following location: + * uriName:[URI], dirName:[DN] * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class AuthInfoAccessExt extends APolicyRule implements +public class AuthInfoAccessExt extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { - protected static final String PROP_CRITICAL = "critical"; - protected static final String PROP_AD = "ad"; - protected static final String PROP_METHOD = "method"; - protected static final String PROP_LOCATION = "location"; - protected static final String PROP_LOCATION_TYPE = "location_type"; - - protected static final String PROP_NUM_ADS = "numADs"; + protected static final String PROP_CRITICAL = + "critical"; + protected static final String PROP_AD = + "ad"; + protected static final String PROP_METHOD = + "method"; + protected static final String PROP_LOCATION = + "location"; + protected static final String PROP_LOCATION_TYPE = + "location_type"; + + protected static final String PROP_NUM_ADS = + "numADs"; public static final int MAX_AD = 5; @@ -94,28 +107,19 @@ public class AuthInfoAccessExt extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { Vector v = new Vector(); - v.addElement(PROP_CRITICAL - + ";boolean;RFC 2459 recommendation: This extension MUST be non-critical."); - v.addElement(PROP_NUM_ADS - + ";number;The total number of access descriptions."); - v.addElement(IExtendedPluginInfo.HELP_TEXT - + ";Adds Authority Info Access Extension. Defined in RFC 2459 " - + "(4.2.2.1)"); - v.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-authinfoaccess"); + v.addElement(PROP_CRITICAL + + ";boolean;RFC 2459 recommendation: This extension MUST be non-critical."); + v.addElement(PROP_NUM_ADS + + ";number;The total number of access descriptions."); + v.addElement(IExtendedPluginInfo.HELP_TEXT + + ";Adds Authority Info Access Extension. Defined in RFC 2459 " + "(4.2.2.1)"); + v.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-authinfoaccess"); for (int i = 0; i < MAX_AD; i++) { - v.addElement(PROP_AD - + Integer.toString(i) - + "_" - + PROP_METHOD - + ";string;" - + "A unique,valid OID specified in dot-separated numeric component notation. e.g. 1.3.6.1.5.5.7.48.1 (ocsp), 1.3.6.1.5.5.7.48.2 (caIssuers), 2.16.840.1.113730.1.16.1 (renewal)"); - v.addElement(PROP_AD + Integer.toString(i) + "_" - + PROP_LOCATION_TYPE + ";" - + IGeneralNameUtil.GENNAME_CHOICE_INFO); - v.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_LOCATION - + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO); + v.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_METHOD + ";string;" + "A unique,valid OID specified in dot-separated numeric component notation. e.g. 1.3.6.1.5.5.7.48.1 (ocsp), 1.3.6.1.5.5.7.48.2 (caIssuers), 2.16.840.1.113730.1.16.1 (renewal)"); + v.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_LOCATION_TYPE + ";" + IGeneralNameUtil.GENNAME_CHOICE_INFO); + v.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_LOCATION + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO); } return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } @@ -123,17 +127,17 @@ public class AuthInfoAccessExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.predicate= - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt + * ca.Policy.rule.<ruleName>.enable=true + * ca.Policy.rule.<ruleName>.predicate= + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; } @@ -148,8 +152,8 @@ public class AuthInfoAccessExt extends APolicyRule implements // for (int i = 0;; i++) { ObjectIdentifier methodOID = null; - String method = mConfig.getString(PROP_AD + Integer.toString(i) - + "_" + PROP_METHOD, null); + String method = mConfig.getString(PROP_AD + + Integer.toString(i) + "_" + PROP_METHOD, null); if (method == null) break; @@ -157,27 +161,23 @@ public class AuthInfoAccessExt extends APolicyRule implements if (method.equals("")) break; - // - // method ::= ocsp | caIssuers | <OID> - // OID ::= [object identifier] - // + // + // method ::= ocsp | caIssuers | <OID> + // OID ::= [object identifier] + // try { if (method.equalsIgnoreCase("ocsp")) { - methodOID = ObjectIdentifier - .getObjectIdentifier("1.3.6.1.5.5.7.48.1"); + methodOID = ObjectIdentifier.getObjectIdentifier("1.3.6.1.5.5.7.48.1"); } else if (method.equalsIgnoreCase("caIssuers")) { - methodOID = ObjectIdentifier - .getObjectIdentifier("1.3.6.1.5.5.7.48.2"); + methodOID = ObjectIdentifier.getObjectIdentifier("1.3.6.1.5.5.7.48.2"); } else if (method.equalsIgnoreCase("renewal")) { - methodOID = ObjectIdentifier - .getObjectIdentifier("2.16.840.1.113730.1.16.1"); + methodOID = ObjectIdentifier.getObjectIdentifier("2.16.840.1.113730.1.16.1"); } else { // it could be an object identifier, test it methodOID = ObjectIdentifier.getObjectIdentifier(method); } } catch (IOException e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_ATTRIBUTE_NAME_CAN_NOT_BE_RESOLVED", method)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_ATTRIBUTE_NAME_CAN_NOT_BE_RESOLVED", method)); } // @@ -185,16 +185,17 @@ public class AuthInfoAccessExt extends APolicyRule implements // TAG ::= uriName | dirName // VALUE ::= [value defined by TAG] // - String location_type = mConfig.getString( - PROP_AD + Integer.toString(i) + "_" + PROP_LOCATION_TYPE, - null); - String location = mConfig.getString(PROP_AD + Integer.toString(i) - + "_" + PROP_LOCATION, null); + String location_type = mConfig.getString(PROP_AD + + Integer.toString(i) + + "_" + PROP_LOCATION_TYPE, null); + String location = mConfig.getString(PROP_AD + + Integer.toString(i) + + "_" + PROP_LOCATION, null); if (location == null) break; GeneralName gn = CMS.form_GeneralName(location_type, location); - Vector e = new Vector(); + Vector e = new Vector(); e.addElement(methodOID); e.addElement(gn); @@ -204,10 +205,10 @@ public class AuthInfoAccessExt extends APolicyRule implements } /** - * If this policy is enabled, add the authority information access extension - * to the certificate. + * If this policy is enabled, add the authority information + * access extension to the certificate. * <P> - * + * * @param req The request on which to apply policy. * @return The policy result object. */ @@ -215,11 +216,11 @@ public class AuthInfoAccessExt extends APolicyRule implements PolicyResult res = PolicyResult.ACCEPTED; X509CertInfo certInfo; - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = req.getExtDataInCertInfoArray( + IRequest.CERT_INFO); if (ci == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), - ""); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } @@ -227,45 +228,43 @@ public class AuthInfoAccessExt extends APolicyRule implements certInfo = ci[j]; if (certInfo == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_UNEXPECTED_POLICY_ERROR", NAME, "")); - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, - "Configuration Info Error"), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, "")); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + NAME, "Configuration Info Error"), ""); return PolicyResult.REJECTED; // unrecoverable error. } try { // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); // add access descriptions Enumeration e = getAccessDescriptions(); if (!e.hasMoreElements()) { return res; - } - + } + if (extensions == null) { // create extension if not exist - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { // check to see if AIA is already exist try { extensions.delete(AuthInfoAccessExtension.NAME); - log(ILogger.LL_WARN, "Previous extension deleted: " - + AuthInfoAccessExtension.NAME); + log(ILogger.LL_WARN, "Previous extension deleted: " + AuthInfoAccessExtension.NAME); } catch (IOException ex) { } } // Create the extension - AuthInfoAccessExtension aiaExt = new AuthInfoAccessExtension( - mConfig.getBoolean(PROP_CRITICAL, false)); + AuthInfoAccessExtension aiaExt = new + AuthInfoAccessExtension(mConfig.getBoolean( + PROP_CRITICAL, false)); while (e.hasMoreElements()) { Vector ad = (Vector) e.nextElement(); @@ -277,25 +276,19 @@ public class AuthInfoAccessExt extends APolicyRule implements extensions.set(AuthInfoAccessExtension.NAME, aiaExt); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, - e.getMessage()), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + NAME, e.getMessage()), ""); return PolicyResult.REJECTED; // unrecoverable error. } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, - "Configuration Info Error"), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + NAME, "Configuration Info Error"), ""); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, - "Certificate Info Error"), ""); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + NAME, "Certificate Info Error"), ""); return PolicyResult.REJECTED; // unrecoverable error. } } @@ -305,15 +298,15 @@ public class AuthInfoAccessExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); try { - params.addElement(PROP_CRITICAL + "=" - + mConfig.getBoolean(PROP_CRITICAL, false)); + params.addElement(PROP_CRITICAL + "=" + + mConfig.getBoolean(PROP_CRITICAL, false)); } catch (EBaseException e) { params.addElement(PROP_CRITICAL + "=false"); } @@ -331,41 +324,46 @@ public class AuthInfoAccessExt extends APolicyRule implements String method = null; try { - method = mConfig.getString(PROP_AD + Integer.toString(i) + "_" - + PROP_METHOD, ""); + method = mConfig.getString(PROP_AD + + Integer.toString(i) + "_" + PROP_METHOD, + ""); } catch (EBaseException e) { } - params.addElement(PROP_AD + Integer.toString(i) + "_" + PROP_METHOD - + "=" + method); + params.addElement(PROP_AD + + Integer.toString(i) + + "_" + PROP_METHOD + "=" + method); String location_type = null; try { - location_type = mConfig.getString(PROP_AD + Integer.toString(i) - + "_" + PROP_LOCATION_TYPE, - IGeneralNameUtil.GENNAME_CHOICE_URL); + location_type = mConfig.getString(PROP_AD + + Integer.toString(i) + "_" + PROP_LOCATION_TYPE, + IGeneralNameUtil.GENNAME_CHOICE_URL); } catch (EBaseException e) { } - params.addElement(PROP_AD + Integer.toString(i) + "_" - + PROP_LOCATION_TYPE + "=" + location_type); + params.addElement(PROP_AD + + Integer.toString(i) + + "_" + PROP_LOCATION_TYPE + "=" + location_type); String location = null; try { - location = mConfig.getString(PROP_AD + Integer.toString(i) - + "_" + PROP_LOCATION, ""); + location = mConfig.getString(PROP_AD + + Integer.toString(i) + "_" + PROP_LOCATION, + ""); } catch (EBaseException e) { } - params.addElement(PROP_AD + Integer.toString(i) + "_" - + PROP_LOCATION + "=" + location); + params.addElement(PROP_AD + + Integer.toString(i) + + "_" + PROP_LOCATION + "=" + location); } return params; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); @@ -377,14 +375,14 @@ public class AuthInfoAccessExt extends APolicyRule implements // the CMS.cfg // for (int i = 0; i < MAX_AD; i++) { - defParams.addElement(PROP_AD + Integer.toString(i) + "_" - + PROP_METHOD + "="); - defParams.addElement(PROP_AD + Integer.toString(i) + "_" - + PROP_LOCATION_TYPE + "=" - + IGeneralNameUtil.GENNAME_CHOICE_URL); - defParams.addElement(PROP_AD + Integer.toString(i) + "_" - + PROP_LOCATION + "="); + defParams.addElement(PROP_AD + Integer.toString(i) + + "_" + PROP_METHOD + "="); + defParams.addElement(PROP_AD + Integer.toString(i) + + "_" + PROP_LOCATION_TYPE + "=" + IGeneralNameUtil.GENNAME_CHOICE_URL); + defParams.addElement(PROP_AD + Integer.toString(i) + + "_" + PROP_LOCATION + "="); } return defParams; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java index cf09af02..612d2492 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/AuthorityKeyIdentifierExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -44,21 +45,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Authority Public Key Extension Policy Adds the subject public key id - * extension to certificates. + * Authority Public Key Extension Policy + * Adds the subject public key id extension to certificates. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class AuthorityKeyIdentifierExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class AuthorityKeyIdentifierExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_ALT_KEYID_TYPE = "AltKeyIdType"; @@ -76,7 +77,7 @@ public class AuthorityKeyIdentifierExt extends APolicyRule implements protected boolean mCritical = DEF_CRITICAL; protected String mAltKeyIdType = DEF_ALT_KEYID_TYPE; - // the extension to add to certs. + // the extension to add to certs. protected AuthorityKeyIdentifierExtension mTheExtension = null; // instance params for console @@ -87,8 +88,7 @@ public class AuthorityKeyIdentifierExt extends APolicyRule implements static { // form static default params. mDefaultParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefaultParams.addElement(PROP_ALT_KEYID_TYPE + "=" - + DEF_ALT_KEYID_TYPE); + mDefaultParams.addElement(PROP_ALT_KEYID_TYPE + "=" + DEF_ALT_KEYID_TYPE); } public AuthorityKeyIdentifierExt() { @@ -97,128 +97,120 @@ public class AuthorityKeyIdentifierExt extends APolicyRule implements } /** - * Initializes this policy rule. Reads configuration file and creates a - * authority key identifier extension to add. Key identifier inside the - * extension is constructed as the CA's subject key identifier extension if - * it exists. If it does not exist this can be configured to use: (1) sha-1 - * hash of the CA's subject public key info (what communicator expects if - * the CA does not have a subject key identifier extension) or (2) No - * extension set (3) Empty sequence in Authority Key Identifier extension. - * + * Initializes this policy rule. + * Reads configuration file and creates a authority key identifier + * extension to add. Key identifier inside the extension is constructed as + * the CA's subject key identifier extension if it exists. + * If it does not exist this can be configured to use: + * (1) sha-1 hash of the CA's subject public key info + * (what communicator expects if the CA does not have a subject key + * identifier extension) or (2) No extension set (3) Empty sequence + * in Authority Key Identifier extension. + * * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate= ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate= + * ca.Policy.rule.<ruleName>.implName= + * ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); - mAltKeyIdType = mConfig.getString(PROP_ALT_KEYID_TYPE, - DEF_ALT_KEYID_TYPE); + mAltKeyIdType = mConfig.getString( + PROP_ALT_KEYID_TYPE, DEF_ALT_KEYID_TYPE); if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_SPKISHA1)) mAltKeyIdType = ALT_KEYID_TYPE_SPKISHA1; - /* - * else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_EMPTY)) - * mAltKeyIdType = ALT_KEYID_TYPE_EMPTY; - */ + /* + else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_EMPTY)) + mAltKeyIdType = ALT_KEYID_TYPE_EMPTY; + */ else if (mAltKeyIdType.equalsIgnoreCase(ALT_KEYID_TYPE_NONE)) mAltKeyIdType = ALT_KEYID_TYPE_NONE; else { - log(ILogger.LL_FAILURE, - NAME - + CMS.getLogMessage("CA_UNKNOWN_ALT_KEY_ID_TYPE", - mAltKeyIdType)); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", PROP_ALT_KEYID_TYPE, - "value must be one of " + ALT_KEYID_TYPE_SPKISHA1 + ", " - + ALT_KEYID_TYPE_NONE)); + log(ILogger.LL_FAILURE, NAME + + CMS.getLogMessage("CA_UNKNOWN_ALT_KEY_ID_TYPE", mAltKeyIdType)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", PROP_ALT_KEYID_TYPE, + "value must be one of " + ALT_KEYID_TYPE_SPKISHA1 + ", " + ALT_KEYID_TYPE_NONE)); } // create authority key id extension. - ICertAuthority certAuthority = (ICertAuthority) ((IPolicyProcessor) owner) - .getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { // should never get here. - String msg = NAME - + ": " - + "Cannot find the Certificate Manager or Registration Manager"; + String msg = NAME + ": " + + "Cannot find the Certificate Manager or Registration Manager"; log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", msg)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); } if (!(certAuthority instanceof ICertificateAuthority)) { - log(ILogger.LL_FAILURE, - NAME + CMS.getLogMessage("POLICY_INVALID_POLICY", NAME)); - throw new EBaseException( - CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", - NAME - + " policy can only be used in a Certificate Authority.")); - } - // CertificateChain caChain = certAuthority.getCACertChain(); - // X509Certificate caCert = caChain.getFirstCertificate(); + log(ILogger.LL_FAILURE, NAME + + CMS.getLogMessage("POLICY_INVALID_POLICY", NAME)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + NAME + " policy can only be used in a Certificate Authority.")); + } + //CertificateChain caChain = certAuthority.getCACertChain(); + //X509Certificate caCert = caChain.getFirstCertificate(); X509CertImpl caCert = certAuthority.getCACert(); - if (caCert == null || CMS.isPreOpMode()) { + if( caCert == null || CMS.isPreOpMode() ) { return; } - KeyIdentifier keyId = formKeyIdentifier(caCert); + KeyIdentifier keyId = formKeyIdentifier(caCert); if (keyId != null) { try { - mTheExtension = new AuthorityKeyIdentifierExtension(mCritical, - keyId, null, null); + mTheExtension = new AuthorityKeyIdentifierExtension( + mCritical, keyId, null, null); } catch (IOException e) { - String msg = NAME + ": " - + "Error forming Authority Key Identifier extension: " - + e; - - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", msg)); + String msg = NAME + ": " + + "Error forming Authority Key Identifier extension: " + e; + + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); } } else { } - // form instance params + // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement(PROP_ALT_KEYID_TYPE + "=" + mAltKeyIdType); } /** - * Adds Authority Key Identifier Extension to a certificate. If the - * extension is already there, accept it if it's from the agent, else - * replace it. - * - * @param req The request on which to apply policy. + * Adds Authority Key Identifier Extension to a certificate. + * If the extension is already there, accept it if it's from the agent, + * else replace it. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { // get certInfo from request. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), - ""); - return PolicyResult.REJECTED; + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { PolicyResult certResult = applyCert(req, ci[i]); - if (certResult == PolicyResult.REJECTED) + if (certResult == PolicyResult.REJECTED) return certResult; } return PolicyResult.ACCEPTED; @@ -227,145 +219,135 @@ public class AuthorityKeyIdentifierExt extends APolicyRule implements public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { - // if authority key id extension already exists, leave it if + // if authority key id extension already exists, leave it if // from agent. else replace it. AuthorityKeyIdentifierExtension authorityKeyIdExt = null; - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { - authorityKeyIdExt = (AuthorityKeyIdentifierExtension) extensions - .get(AuthorityKeyIdentifierExtension.NAME); + authorityKeyIdExt = (AuthorityKeyIdentifierExtension) + extensions.get(AuthorityKeyIdentifierExtension.NAME); } } catch (IOException e) { - // extension isn't there. + // extension isn't there. } if (authorityKeyIdExt != null) { if (agentApproved(req)) { - CMS.debug("AuthorityKeyIdentifierKeyExt: agent approved request id " - + req.getRequestId() - + " already has authority key id extension with value " - + authorityKeyIdExt); + CMS.debug( + "AuthorityKeyIdentifierKeyExt: agent approved request id " + req.getRequestId() + + " already has authority key id extension with value " + + authorityKeyIdExt); return PolicyResult.ACCEPTED; } else { - CMS.debug("AuthorityKeyIdentifierKeyExt: request id from user " - + req.getRequestId() - + " had authority key identifier - deleted"); + CMS.debug( + "AuthorityKeyIdentifierKeyExt: request id from user " + req.getRequestId() + + " had authority key identifier - deleted"); extensions.delete(AuthorityKeyIdentifierExtension.NAME); } } - // if no authority key identifier should be set b/c CA does not - // have a subject key identifier, return here. - if (mTheExtension == null) + // if no authority key identifier should be set b/c CA does not + // have a subject key identifier, return here. + if (mTheExtension == null) return PolicyResult.ACCEPTED; - // add authority key id extension. + // add authority key id extension. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } - extensions.set(AuthorityKeyIdentifierExtension.NAME, mTheExtension); - CMS.debug("AuthorityKeyIdentifierKeyExt: added authority key id ext to request " - + req.getRequestId()); + extensions.set( + AuthorityKeyIdentifierExtension.NAME, mTheExtension); + CMS.debug( + "AuthorityKeyIdentifierKeyExt: added authority key id ext to request " + req.getRequestId()); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, - e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", - NAME, e.getMessage()), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + NAME, e.getMessage()), ""); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_CERT", e.getMessage())); - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", NAME, - "Certificate Info Error"), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INVALID_CERT", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", + NAME, "Certificate Info Error"), ""); return PolicyResult.REJECTED; } } /** - * Form the Key Identifier in the Authority Key Identifier extension. from - * the CA's cert. + * Form the Key Identifier in the Authority Key Identifier extension. + * from the CA's cert. * <p> - * * @param caCertImpl Certificate Info * @return A Key Identifier. * @throws com.netscape.certsrv.base.EBaseException on error */ protected KeyIdentifier formKeyIdentifier(X509CertImpl caCertImpl) - throws EBaseException { + throws EBaseException { KeyIdentifier keyId = null; // get CA's certInfo. X509CertInfo certInfo = null; try { - certInfo = (X509CertInfo) caCertImpl.get(X509CertImpl.NAME + "." - + X509CertImpl.INFO); - if (certInfo == null) { - String msg = "Bad CA certificate encountered. " - + "TBS Certificate missing."; - - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_CERT_FORMAT")); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", NAME + ": " + msg)); + certInfo = (X509CertInfo) caCertImpl.get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); + if (certInfo == null) { + String msg = "Bad CA certificate encountered. " + + "TBS Certificate missing."; + + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_CERT_FORMAT")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", NAME + ": " + msg)); } } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - NAME - + ": " - + CMS.getLogMessage("BASE_DECODE_CERT_FAILED_1", - e.toString())); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", NAME - + " Error decoding the CA Certificate: " + e)); + log(ILogger.LL_FAILURE, NAME + ": " + + CMS.getLogMessage("BASE_DECODE_CERT_FAILED_1", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + NAME + " Error decoding the CA Certificate: " + e)); } // get Key Id from CA's Subject Key Id extension in CA's CertInfo. keyId = getKeyIdentifier(certInfo); - if (keyId != null) + if (keyId != null) return keyId; - // if none exists use the configured alternate. + // if none exists use the configured alternate. if (mAltKeyIdType == ALT_KEYID_TYPE_SPKISHA1) { keyId = formSpkiSHA1KeyId(certInfo); } /* - * else if (mAltKeyIdType == ALT_KEYID_TYPE_EMPTY) { keyId = - * formEmptyKeyId(certInfo); } - */else if (mAltKeyIdType == ALT_KEYID_TYPE_NONE) { + else if (mAltKeyIdType == ALT_KEYID_TYPE_EMPTY) { + keyId = formEmptyKeyId(certInfo); + } + */ else if (mAltKeyIdType == ALT_KEYID_TYPE_NONE) { keyId = null; } else { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", mAltKeyIdType, - "Unknown Alternate Key Identifier type.")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + mAltKeyIdType, + "Unknown Alternate Key Identifier type.")); } return keyId; } /** - * Get the Key Identifier in a subject key identifier extension from a + * Get the Key Identifier in a subject key identifier extension from a * CertInfo. - * * @param certInfo the CertInfo structure. * @return Key Identifier in a Subject Key Identifier extension if any. */ - protected KeyIdentifier getKeyIdentifier(X509CertInfo certInfo) - throws EBaseException { + protected KeyIdentifier getKeyIdentifier(X509CertInfo certInfo) + throws EBaseException { CertificateExtensions exts = null; SubjectKeyIdentifierExtension subjKeyIdExt = null; KeyIdentifier keyId = null; try { - exts = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + exts = (CertificateExtensions) certInfo.get(X509CertInfo.EXTENSIONS); } catch (IOException e) { // extension isn't there. CMS.debug(NAME + ": " + "No extensions found. Error " + e); @@ -375,77 +357,71 @@ public class AuthorityKeyIdentifierExt extends APolicyRule implements CMS.debug(NAME + ": " + "No extensions found. Error " + e); return null; } - if (exts == null) + if (exts == null) return null; try { - subjKeyIdExt = (SubjectKeyIdentifierExtension) exts - .get(SubjectKeyIdentifierExtension.NAME); + subjKeyIdExt = (SubjectKeyIdentifierExtension) + exts.get(SubjectKeyIdentifierExtension.NAME); } catch (IOException e) { // extension isn't there. - CMS.debug("AuthorityKeyIdentifierKeyExt: No Subject Key Identifier Extension found. Error: " - + e); + CMS.debug( + "AuthorityKeyIdentifierKeyExt: No Subject Key Identifier Extension found. Error: " + e); return null; } if (subjKeyIdExt == null) return null; try { - keyId = (KeyIdentifier) subjKeyIdExt - .get(SubjectKeyIdentifierExtension.KEY_ID); + keyId = (KeyIdentifier) subjKeyIdExt.get( + SubjectKeyIdentifierExtension.KEY_ID); } catch (IOException e) { - // no key identifier in subject key id extension. - String msg = NAME + ": " - + "Bad Subject Key Identifier Extension found. Error: " + e; - - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", msg)); + // no key identifier in subject key id extension. + String msg = NAME + ": " + + "Bad Subject Key Identifier Extension found. Error: " + e; + + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_AUTHORITY_KEY_ID_1", NAME)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); } return keyId; } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefaultParams; } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL - + ";boolean;" - + "RFC 2459 recommendation: MUST NOT be marked critical.", - PROP_ALT_KEYID_TYPE - + ";" - + "choice(" - + ALT_KEYID_TYPE_SPKISHA1 - + "," - + ALT_KEYID_TYPE_NONE - + ");" - + "Specifies whether to use a SHA1 hash of the CA's subject " - + "public key info for key identifier or leave out the " - + "authority key identifier extension if the CA certificate " - + "does not have a Subject Key Identifier extension.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-authkeyid", - IExtendedPluginInfo.HELP_TEXT - + ";Adds Authority Key Identifier Extension. " - + "See RFC 2459 (4.2.1.1)" }; + PROP_CRITICAL + ";boolean;" + + "RFC 2459 recommendation: MUST NOT be marked critical.", + PROP_ALT_KEYID_TYPE + ";" + + "choice(" + ALT_KEYID_TYPE_SPKISHA1 + "," + ALT_KEYID_TYPE_NONE + ");" + + "Specifies whether to use a SHA1 hash of the CA's subject " + + "public key info for key identifier or leave out the " + + "authority key identifier extension if the CA certificate " + + "does not have a Subject Key Identifier extension.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-authkeyid", + IExtendedPluginInfo.HELP_TEXT + + ";Adds Authority Key Identifier Extension. " + + "See RFC 2459 (4.2.1.1)" + }; return params; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java index e146a0cf..4c2eb464 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/BasicConstraintsExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -46,100 +47,103 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Basic Constraints policy. Adds the Basic constraints extension. + * Basic Constraints policy. + * Adds the Basic constraints extension. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class BasicConstraintsExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class BasicConstraintsExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_MAXPATHLEN = "maxPathLen"; protected static final String PROP_IS_CA = "isCA"; protected static final String PROP_IS_CRITICAL = "critical"; protected static final String ARG_PATHLEN = "BasicConstraintsPathLen"; - protected int mMaxPathLen = 0; // < 0 means unlimited + protected int mMaxPathLen = 0; // < 0 means unlimited protected String mOrigMaxPathLen = ""; // for UI display only protected boolean mCritical = true; - protected int mDefaultMaxPathLen = 0; // depends on the CA's path length. - protected int mCAPathLen = 0; + protected int mDefaultMaxPathLen = 0; // depends on the CA's path length. + protected int mCAPathLen = 0; protected boolean mRemoveExt = true; protected boolean mIsCA = true; public static final boolean DEFAULT_CRITICALITY = true; /** - * Adds the basic constraints extension as a critical extension in CA - * certificates i.e. certype is ca, with either a requested or configured - * path len. The requested or configured path length cannot be greater than - * or equal to the CA's basic constraints path length. If the CA path length - * is 0, all requests for CA certs are rejected. + * Adds the basic constraints extension as a critical extension in + * CA certificates i.e. certype is ca, with either a requested + * or configured path len. + * The requested or configured path length cannot be greater than + * or equal to the CA's basic constraints path length. + * If the CA path length is 0, all requests for CA certs are rejected. */ public BasicConstraintsExt() { NAME = "BasicConstraintsExt"; - DESC = "Sets critical basic constraints extension in subordinate CA certs"; + DESC = + "Sets critical basic constraints extension in subordinate CA certs"; } /** * Initializes this policy rule. * <p> * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=BasicConstraintsExtImpl - * ca.Policy.rule.<ruleName>.pathLen=<n>, -1 for undefined. - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=BasicConstraintsExtImpl + * ca.Policy.rule.<ruleName>.pathLen=<n>, -1 for undefined. + * ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // get the CA's path len to check against configured max path len. - ICertAuthority certAuthority = (ICertAuthority) ((IPolicyProcessor) owner) - .getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { // should never get here. log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Cannot find the Certificate Manager or Registration Manager")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Cannot find the Certificate Manager or Registration Manager")); } if (certAuthority instanceof IRegistrationAuthority) { - log(ILogger.LL_WARN, - "default basic constraints extension path len to -1."); + log(ILogger.LL_WARN, + "default basic constraints extension path len to -1."); mCAPathLen = -1; } else { CertificateChain caChain = certAuthority.getCACertChain(); - if (caChain == null || CMS.isPreOpMode()) { + if( caChain == null || CMS.isPreOpMode() ) { return; } X509Certificate caCert = caChain.getFirstCertificate(); mCAPathLen = caCert.getBasicConstraints(); } - // set default to one less than the CA's pathlen or 0 if CA's - // pathlen is 0. + // set default to one less than the CA's pathlen or 0 if CA's + // pathlen is 0. // If it's unlimited default the max pathlen also to unlimited. - if (mCAPathLen < 0) + if (mCAPathLen < 0) mDefaultMaxPathLen = -1; - else if (mCAPathLen > 0) + else if (mCAPathLen > 0) mDefaultMaxPathLen = mCAPathLen - 1; - else // (mCAPathLen == 0) + else // (mCAPathLen == 0) { - log(ILogger.LL_WARN, CMS.getLogMessage("POLICY_PATHLEN_ZERO")); - // return; + log(ILogger.LL_WARN, + CMS.getLogMessage("POLICY_PATHLEN_ZERO")); + //return; } - // get configured max path len, use defaults if not configured. + // get configured max path len, use defaults if not configured. boolean pathLenConfigured = true; try { @@ -147,19 +151,19 @@ public class BasicConstraintsExt extends APolicyRule implements mIsCA = config.getBoolean(PROP_IS_CA, true); mMaxPathLen = config.getInteger(PROP_MAXPATHLEN); if (mMaxPathLen < 0) { - log(ILogger.LL_MISCONF, CMS.getLogMessage( - "POLICY_INVALID_MAXPATHLEN_4", "", - String.valueOf(mMaxPathLen))); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_MAXPATHLEN_1", NAME, + log(ILogger.LL_MISCONF, + CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN_4", "", String.valueOf(mMaxPathLen))); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_MAXPATHLEN_1", + NAME, String.valueOf(mMaxPathLen))); } mOrigMaxPathLen = Integer.toString(mMaxPathLen); } catch (EBaseException e) { - if (!(e instanceof EPropertyNotFound) - && !(e instanceof EPropertyNotDefined)) { - log(ILogger.LL_MISCONF, - CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN")); + if (!(e instanceof EPropertyNotFound) && + !(e instanceof EPropertyNotDefined)) { + log(ILogger.LL_MISCONF, + CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN")); throw e; } @@ -171,52 +175,53 @@ public class BasicConstraintsExt extends APolicyRule implements // check if configured path len is valid. if (pathLenConfigured) { - // if CA's pathlen is unlimited, any max pathlen is ok. - // else maxPathlen must be at most one less than the CA's - // pathlen or 0 if CA's pathlen is 0. - - if (mCAPathLen > 0 - && (mMaxPathLen >= mCAPathLen || mMaxPathLen < 0)) { - String maxStr = (mMaxPathLen < 0) ? String.valueOf(mMaxPathLen) - + "(unlimited)" : String.valueOf(mMaxPathLen); - - log(ILogger.LL_MISCONF, CMS.getLogMessage( - "POLICY_MAXPATHLEN_TOO_BIG_3", "", maxStr, + // if CA's pathlen is unlimited, any max pathlen is ok. + // else maxPathlen must be at most one less than the CA's + // pathlen or 0 if CA's pathlen is 0. + + if (mCAPathLen > 0 && + (mMaxPathLen >= mCAPathLen || mMaxPathLen < 0)) { + String maxStr = (mMaxPathLen < 0) ? + String.valueOf(mMaxPathLen) + "(unlimited)" : + String.valueOf(mMaxPathLen); + + log(ILogger.LL_MISCONF, + CMS.getLogMessage("POLICY_MAXPATHLEN_TOO_BIG_3", "", + maxStr, String.valueOf(mCAPathLen))); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_MAXPATHLEN_TOO_BIG_1", NAME, maxStr, - Integer.toString(mCAPathLen))); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_MAXPATHLEN_TOO_BIG_1", + NAME, maxStr, Integer.toString(mCAPathLen))); } else if (mCAPathLen == 0 && mMaxPathLen != 0) { - log(ILogger.LL_MISCONF, CMS.getLogMessage( - "POLICY_INVALID_MAXPATHLEN_2", "", - String.valueOf(mMaxPathLen))); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_MAXPATHLEN", NAME, - String.valueOf(mMaxPathLen))); + log(ILogger.LL_MISCONF, + CMS.getLogMessage("POLICY_INVALID_MAXPATHLEN_2", "", String.valueOf(mMaxPathLen))); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_MAXPATHLEN", + NAME, String.valueOf(mMaxPathLen))); } } } /** - * Checks if the basic contraints extension in certInfo is valid and add the - * basic constraints extension for CA certs if none exists. Non-CA certs do - * not get a basic constraints extension. - * - * @param req The request on which to apply policy. + * Checks if the basic contraints extension in certInfo is valid and + * add the basic constraints extension for CA certs if none exists. + * Non-CA certs do not get a basic constraints extension. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); X509CertInfo certInfo = null; if (ci == null || (certInfo = ci[0]) == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), - ""); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } @@ -224,22 +229,24 @@ public class BasicConstraintsExt extends APolicyRule implements boolean isCA = mIsCA; /** - * boolean isCA = false; String type = - * (String)req.get(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); if (type - * != null && type.equalsIgnoreCase(IRequest.CA_CERT)) { isCA = true; } + boolean isCA = false; + String type = (String)req.get(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); + if (type != null && type.equalsIgnoreCase(IRequest.CA_CERT)) { + isCA = true; + } **/ for (int i = 0; i < ci.length; i++) { PolicyResult certResult = applyCert(req, isCA, certInfo); - if (certResult == PolicyResult.REJECTED) + if (certResult == PolicyResult.REJECTED) return certResult; } return PolicyResult.ACCEPTED; } - public PolicyResult applyCert(IRequest req, boolean isCA, - X509CertInfo certInfo) { + public PolicyResult applyCert( + IRequest req, boolean isCA, X509CertInfo certInfo) { // get basic constraints extension from cert info if any. CertificateExtensions extensions = null; @@ -247,11 +254,11 @@ public class BasicConstraintsExt extends APolicyRule implements try { // get basic constraints extension if any. - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); if (extensions != null) { - basicExt = (BasicConstraintsExtension) extensions - .get(BasicConstraintsExtension.NAME); + basicExt = (BasicConstraintsExtension) + extensions.get(BasicConstraintsExtension.NAME); } } catch (IOException e) { // no extensions or basic constraints extension. @@ -259,19 +266,19 @@ public class BasicConstraintsExt extends APolicyRule implements // no extensions or basic constraints extension. } - // for non-CA certs, pkix says it SHOULD NOT have the extension + // for non-CA certs, pkix says it SHOULD NOT have the extension // so remove it. if (!isCA) { if (extensions == null) { try { // create extensions set if none. - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (CertificateException e) { } catch (IOException e) { - // not possible + // not possible } } if (basicExt != null) { @@ -284,62 +291,56 @@ public class BasicConstraintsExt extends APolicyRule implements BasicConstraintsExtension critExt; try { - critExt = new BasicConstraintsExtension(isCA, mCritical, - mMaxPathLen); + critExt = new BasicConstraintsExtension(isCA, mCritical, mMaxPathLen); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2", - e.toString())); - setError(req, CMS.getUserMessage( - "CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2", + e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } - + try { extensions.set(BasicConstraintsExtension.NAME, critExt); } catch (IOException e) { } - CMS.debug("BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " - + req.getRequestId()); + CMS.debug( + "BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } // For CA certs, check if existing extension is valid, and adjust. - // Extension must be marked critial and pathlen must be < CA's pathlen. + // Extension must be marked critial and pathlen must be < CA's pathlen. // if CA's pathlen is 0 all ca certs are rejected. if (mCAPathLen == 0) { - // reject all subordinate CA cert requests because CA's + // reject all subordinate CA cert requests because CA's // path length is 0. - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_NO_SUB_CA_CERTS_ALLOWED_1", NAME)); - setError(req, CMS.getUserMessage( - "CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED", NAME), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_NO_SUB_CA_CERTS_ALLOWED_1", NAME)); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED", NAME), ""); return PolicyResult.REJECTED; } - if (basicExt != null) { + if (basicExt != null) { try { - boolean extIsCA = ((Boolean) basicExt - .get(BasicConstraintsExtension.IS_CA)).booleanValue(); - int pathLen = ((Integer) basicExt - .get(BasicConstraintsExtension.PATH_LEN)).intValue(); + boolean extIsCA = + ((Boolean) basicExt.get(BasicConstraintsExtension.IS_CA)).booleanValue(); + int pathLen = + ((Integer) basicExt.get(BasicConstraintsExtension.PATH_LEN)).intValue(); if (mMaxPathLen > -1) { if (pathLen > mMaxPathLen || pathLen < 0) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_MAXPATHLEN_TOO_BIG_3", NAME, - "unlimited", String.valueOf(pathLen))); - if (pathLen < 0) - setError(req, - CMS.getUserMessage( - "CMS_POLICY_MAXPATHLEN_TOO_BIG", - NAME, "unlimited", - Integer.toString(mMaxPathLen)), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_MAXPATHLEN_TOO_BIG_3", NAME, "unlimited", String.valueOf(pathLen))); + if (pathLen < 0) + setError(req, CMS.getUserMessage("CMS_POLICY_MAXPATHLEN_TOO_BIG", + NAME, "unlimited", Integer.toString(mMaxPathLen)), ""); else - setError(req, CMS.getUserMessage( - "CMS_POLICY_MAXPATHLEN_TOO_BIG", NAME, - Integer.toString(pathLen), + setError(req, CMS.getUserMessage("CMS_POLICY_MAXPATHLEN_TOO_BIG", + NAME, Integer.toString(pathLen), Integer.toString(mMaxPathLen)), ""); return PolicyResult.REJECTED; } @@ -347,20 +348,20 @@ public class BasicConstraintsExt extends APolicyRule implements // adjust isCA field if (!extIsCA) { - basicExt.set(BasicConstraintsExtension.IS_CA, - Boolean.valueOf(true)); + basicExt.set(BasicConstraintsExtension.IS_CA, + Boolean.valueOf(true)); } // adjust path length field. if (mMaxPathLen == 0) { if (pathLen != 0) { - basicExt.set(BasicConstraintsExtension.PATH_LEN, - Integer.valueOf(0)); + basicExt.set(BasicConstraintsExtension.PATH_LEN, + Integer.valueOf(0)); pathLen = 0; } } else if (mMaxPathLen > 0 && pathLen > mMaxPathLen) { - basicExt.set(BasicConstraintsExtension.PATH_LEN, - Integer.valueOf(mMaxPathLen)); + basicExt.set(BasicConstraintsExtension.PATH_LEN, + Integer.valueOf(mMaxPathLen)); pathLen = mMaxPathLen; } @@ -369,13 +370,12 @@ public class BasicConstraintsExt extends APolicyRule implements BasicConstraintsExtension critExt; try { - critExt = new BasicConstraintsExtension(isCA, - mCritical, pathLen); + critExt = new BasicConstraintsExtension(isCA, mCritical, pathLen); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_ERROR_BASIC_CONSTRAINTS_1", NAME)); - setError(req, CMS.getUserMessage( - "CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_1", NAME)); + setError(req, + CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } extensions.delete(BasicConstraintsExtension.NAME); @@ -384,8 +384,9 @@ public class BasicConstraintsExt extends APolicyRule implements } catch (IOException e) { // not possible in these cases. } - CMS.debug("BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " - + req.getRequestId()); + CMS.debug( + "BasicConstraintsExt: PolicyRule BasicConstraintsExt: added the extension to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } @@ -393,14 +394,14 @@ public class BasicConstraintsExt extends APolicyRule implements if (extensions == null) { try { // create extensions set if none. - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (CertificateException e) { // not possible } catch (IOException e) { - // not possible + // not possible } } @@ -412,28 +413,29 @@ public class BasicConstraintsExt extends APolicyRule implements if (reqPathLenStr == null) { reqPathLen = mMaxPathLen; } else { - try { - reqPathLen = Integer.parseInt(reqPathLenStr); - if ((mMaxPathLen == 0 && reqPathLen != 0) - || (mMaxPathLen > 0 && (reqPathLen > mMaxPathLen || reqPathLen < 0))) { - String plenStr = ((reqPathLen < 0) ? reqPathLenStr - + "(unlimited)" : reqPathLenStr); - - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_PATHLEN_TOO_BIG_3", plenStr, + try { + reqPathLen = Integer.parseInt(reqPathLenStr); + if ((mMaxPathLen == 0 && reqPathLen != 0) || + (mMaxPathLen > 0 && + (reqPathLen > mMaxPathLen || reqPathLen < 0))) { + String plenStr = + ((reqPathLen < 0) ? + reqPathLenStr + "(unlimited)" : reqPathLenStr); + + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_PATHLEN_TOO_BIG_3", plenStr, String.valueOf(mMaxPathLen))); - setError(req, CMS.getUserMessage( - "CMS_POLICY_PATHLEN_TOO_BIG", NAME, plenStr, - String.valueOf(mMaxPathLen)), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_PATHLEN_TOO_BIG", + NAME, plenStr, String.valueOf(mMaxPathLen)), ""); return PolicyResult.REJECTED; } } catch (NumberFormatException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_INVALID_PATHLEN_FORMAT_2", NAME, reqPathLenStr)); - setError(req, CMS.getUserMessage( - "CMS_POLICY_INVALID_PATHLEN_FORMAT", NAME, - reqPathLenStr), ""); - return PolicyResult.REJECTED; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_INVALID_PATHLEN_FORMAT_2", NAME, reqPathLenStr)); + setError(req, CMS.getUserMessage("CMS_POLICY_INVALID_PATHLEN_FORMAT", + NAME, reqPathLenStr), ""); + return PolicyResult.REJECTED; } } BasicConstraintsExtension newExt; @@ -441,29 +443,29 @@ public class BasicConstraintsExt extends APolicyRule implements try { newExt = new BasicConstraintsExtension(isCA, mCritical, reqPathLen); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2", - e.toString())); - setError(req, CMS.getUserMessage( - "CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_BASIC_CONSTRAINTS_2", e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_BASIC_CONSTRAINTS_ERROR", NAME), ""); return PolicyResult.REJECTED; // unrecoverable error. } try { extensions.set(BasicConstraintsExtension.NAME, newExt); - } catch (IOException e) { + }catch (IOException e) { // doesn't happen. } - CMS.debug("BasicConstraintsExt: added the extension to request " - + req.getRequestId()); + CMS.debug( + "BasicConstraintsExt: added the extension to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); // Because of one of the UI bugs 385273, we should leave the empty space @@ -476,10 +478,10 @@ public class BasicConstraintsExt extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_IS_CRITICAL + "=true"); @@ -490,20 +492,19 @@ public class BasicConstraintsExt extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_MAXPATHLEN - + ";number;'0' means : no subordinates allowed, 'n' means : at most n subordinates allowed.", - PROP_IS_CRITICAL - + ";boolean;" - + "RFC 2459 recommendation: MUST be critical in CA certs, SHOULD NOT appear in EE certs.", - PROP_IS_CA - + ";boolean;" - + "Identifies the subject of the certificate is a CA or not.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-basicconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Adds the Basic Constraints extension. See RFC 2459 (4.2.1.10)" }; + PROP_MAXPATHLEN + ";number;'0' means : no subordinates allowed, 'n' means : at most n subordinates allowed.", + PROP_IS_CRITICAL + ";boolean;" + + "RFC 2459 recommendation: MUST be critical in CA certs, SHOULD NOT appear in EE certs.", + PROP_IS_CA + ";boolean;" + + "Identifies the subject of the certificate is a CA or not.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-basicconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Adds the Basic Constraints extension. See RFC 2459 (4.2.1.10)" + }; return params; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java index 400a6d35..cec8051b 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/CRLDistributionPointsExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Hashtable; @@ -49,18 +50,18 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * The type of the distribution point or issuer name. The name is expressed as a - * simple string in the configuration file, so this attribute is needed to tell - * whether the simple string should be stored in an X.500 Name, a URL, or an - * RDN. + * The type of the distribution point or issuer name. The name is expressed + * as a simple string in the configuration file, so this attribute is needed + * to tell whether the simple string should be stored in an X.500 Name, + * a URL, or an RDN. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ @@ -68,7 +69,7 @@ class NameType { private NameType() { } // no default constructor - private String stringRep; // string representation of this type + private String stringRep; // string representation of this type private NameType(String s) { map.put(s, this); @@ -78,8 +79,8 @@ class NameType { private static Hashtable map = new Hashtable(); /** - * Looks up a NameType from its string representation. Returns null if no - * matching NameType was found. + * Looks up a NameType from its string representation. Returns null + * if no matching NameType was found. */ public static NameType fromString(String s) { return (NameType) map.get(s); @@ -91,14 +92,15 @@ class NameType { public static final NameType DIRECTORY_NAME = new NameType("DirectoryName"); public static final NameType URI = new NameType("URI"); - public static final NameType RELATIVE_TO_ISSUER = new NameType( - "RelativeToIssuer"); + public static final NameType RELATIVE_TO_ISSUER = + new NameType("RelativeToIssuer"); } + /** - * These are the parameters that may be given in the configuration file for each - * distribution point. They are parsed by DPParamsToDP(). Any of them may be - * null. + * These are the parameters that may be given in the configuration file + * for each distribution point. They are parsed by DPParamsToDP(). + * Any of them may be null. */ class DistPointParams { public String pointName; @@ -122,12 +124,13 @@ class DistPointParams { } + /** - * CRL Distribution Points policy. Adds the CRL Distribution Points extension to - * the certificate. + * CRL Distribution Points policy. + * Adds the CRL Distribution Points extension to the certificate. */ -public class CRLDistributionPointsExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class CRLDistributionPointsExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { public static final String PROP_IS_CRITICAL = "critical"; public static final String PROP_NUM_POINTS = "numPoints"; @@ -169,40 +172,32 @@ public class CRLDistributionPointsExt extends APolicyRule implements // should replace MAX_POINTS with mNumPoints if bug 385118 is fixed for (int i = 0; i < MAX_POINTS; i++) { - v.addElement(PROP_POINT_TYPE + Integer.toString(i) + ";choice(" - + "DirectoryName,URI,RelativeToIssuer);" - + "The type of the CRL distribution point."); - v.addElement(PROP_POINT_NAME - + Integer.toString(i) - + ";string;" - + "The name of the CRL distribution point depending on the CRLDP type."); - v.addElement(PROP_REASONS - + Integer.toString(i) - + ";string;" - + "The revocation reasons for the CRL maintained at this distribution point. It's a comma-seperated list of the following constants: unused, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold."); - v.addElement(PROP_ISSUER_TYPE - + Integer.toString(i) - + ";choice(" - + "DirectoryName,URI);" - + "The type of the issuer that has signed the CRL maintained at this distribution point."); - v.addElement(PROP_ISSUER_NAME - + Integer.toString(i) - + ";string;" - + "The name of the issuer that has signed the CRL maintained at this distribution point. The value depends on the issuer type."); + v.addElement(PROP_POINT_TYPE + Integer.toString(i) + ";choice(" + + "DirectoryName,URI,RelativeToIssuer);" + + "The type of the CRL distribution point."); + v.addElement(PROP_POINT_NAME + Integer.toString(i) + ";string;" + + "The name of the CRL distribution point depending on the CRLDP type."); + v.addElement(PROP_REASONS + Integer.toString(i) + ";string;" + + "The revocation reasons for the CRL maintained at this distribution point. It's a comma-seperated list of the following constants: unused, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold."); + v.addElement(PROP_ISSUER_TYPE + Integer.toString(i) + ";choice(" + + "DirectoryName,URI);" + + "The type of the issuer that has signed the CRL maintained at this distribution point."); + v.addElement(PROP_ISSUER_NAME + Integer.toString(i) + ";string;" + + "The name of the issuer that has signed the CRL maintained at this distribution point. The value depends on the issuer type."); } - v.addElement(PROP_NUM_POINTS - + ";number;The total number of CRL distribution points to be contained or allowed in the extension."); - v.addElement(PROP_IS_CRITICAL - + ";boolean;RFC 2459 recommendation: SHOULD be non-critical. But recommends support for this extension by CAs and applications."); - v.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-crldistributionpoints"); - v.addElement(IExtendedPluginInfo.HELP_TEXT - + ";This policy inserts the CRL Distribution Points " - + "Extension into the certificate. See RFC 2459 (4.2.1.14). "); - - mExtParams = com.netscape.cmsutil.util.Utils - .getStringArrayFromVector(v); + v.addElement(PROP_NUM_POINTS + + ";number;The total number of CRL distribution points to be contained or allowed in the extension."); + v.addElement(PROP_IS_CRITICAL + + ";boolean;RFC 2459 recommendation: SHOULD be non-critical. But recommends support for this extension by CAs and applications."); + v.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-crldistributionpoints"); + v.addElement(IExtendedPluginInfo.HELP_TEXT + + ";This policy inserts the CRL Distribution Points " + + "Extension into the certificate. See RFC 2459 (4.2.1.14). " + ); + + mExtParams = com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } public String[] getExtendedPluginInfo(Locale locale) { @@ -217,13 +212,13 @@ public class CRLDistributionPointsExt extends APolicyRule implements * Performs one-time initialization of the policy. */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // Register the CRL Distribution Points extension. try { netscape.security.x509.OIDMap.addAttribute( - CRLDistributionPointsExtension.class.getName(), - CRLDistributionPointsExtension.OID, - CRLDistributionPointsExtension.NAME); + CRLDistributionPointsExtension.class.getName(), + CRLDistributionPointsExtension.OID, + CRLDistributionPointsExtension.NAME); } catch (CertificateException e) { // ignore, just means it has already been added } @@ -247,15 +242,11 @@ public class CRLDistributionPointsExt extends APolicyRule implements DistPointParams configparams = new DistPointParams(params); CRLDistributionPoint crldp = DPParamsToDP(params); - mParams.addElement(PROP_POINT_TYPE + i + "=" - + configparams.pointType); - mParams.addElement(PROP_POINT_NAME + i + "=" - + configparams.pointName); + mParams.addElement(PROP_POINT_TYPE + i + "=" + configparams.pointType); + mParams.addElement(PROP_POINT_NAME + i + "=" + configparams.pointName); mParams.addElement(PROP_REASONS + i + "=" + configparams.reasons); - mParams.addElement(PROP_ISSUER_TYPE + i + "=" - + configparams.issuerType); - mParams.addElement(PROP_ISSUER_NAME + i + "=" - + configparams.issuerName); + mParams.addElement(PROP_ISSUER_TYPE + i + "=" + configparams.issuerType); + mParams.addElement(PROP_ISSUER_NAME + i + "=" + configparams.issuerName); // add the distribution point to the extension if (mCrldpExt == null) { @@ -265,7 +256,8 @@ public class CRLDistributionPointsExt extends APolicyRule implements } } - boolean crit = config.getBoolean(PROP_IS_CRITICAL, DEFAULT_CRITICALITY); + boolean crit = config.getBoolean(PROP_IS_CRITICAL, + DEFAULT_CRITICALITY); mParams.addElement(PROP_IS_CRITICAL + "=" + crit); if (mCrldpExt != null) { @@ -277,11 +269,11 @@ public class CRLDistributionPointsExt extends APolicyRule implements } /** - * Parses the parameters in the config file to create an actual CRL - * Distribution Point object. + * Parses the parameters in the config file to create an + * actual CRL Distribution Point object. */ private CRLDistributionPoint DPParamsToDP(DistPointParams params) - throws EBaseException { + throws EBaseException { CRLDistributionPoint crlDP = new CRLDistributionPoint(); try { @@ -310,39 +302,33 @@ public class CRLDistributionPointsExt extends APolicyRule implements if (nType == null) { String err = "Unknown name type: " + params.pointType; - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CA_UNKNOWN_NAME_TYPE", params.pointType)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", params.pointType)); throw new EBaseException(err); } if (nType == NameType.DIRECTORY_NAME) { GeneralNames gen = new GeneralNames(); - gen.addElement(new GeneralName(new X500Name( - params.pointName))); + gen.addElement(new GeneralName(new X500Name(params.pointName))); crlDP.setFullName(gen); } else if (nType == NameType.URI) { GeneralNames gen = new GeneralNames(); - gen.addElement(new GeneralName( - new URIName(params.pointName))); + gen.addElement(new GeneralName(new URIName(params.pointName))); crlDP.setFullName(gen); } else if (nType == NameType.RELATIVE_TO_ISSUER) { crlDP.setRelativeName(new RDN(params.pointName)); } else { String err = "Unknown name type: " + nType.toString(); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", - nType.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", nType.toString())); throw new EBaseException(err); } } // deal with the reasons if (params.reasons != null) { - StringTokenizer tok = new StringTokenizer(params.reasons, - ", \t"); + StringTokenizer tok = new StringTokenizer(params.reasons, ", \t"); byte reasonBits = 0; while (tok.hasMoreTokens()) { @@ -350,15 +336,15 @@ public class CRLDistributionPointsExt extends APolicyRule implements Reason r = Reason.fromString(s); if (r == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_UNKNOWN_REASON", s)); - throw new EBaseException("Unknown reason: " + s); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_REASON", s)); + throw new EBaseException("Unknown reason: " + s); } else { reasonBits |= r.getBitMask(); } } if (reasonBits != 0) { - BitArray ba = new BitArray(8, new byte[] { reasonBits }); + BitArray ba = new BitArray(8, new byte[] { reasonBits } + ); crlDP.setReasons(ba); } @@ -372,29 +358,24 @@ public class CRLDistributionPointsExt extends APolicyRule implements if (nType == null) { String err = "Unknown name type: " + params.issuerType; - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CA_UNKNOWN_NAME_TYPE", params.issuerType)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", params.issuerType)); throw new EBaseException(err); } if (nType == NameType.DIRECTORY_NAME) { GeneralNames gen = new GeneralNames(); - gen.addElement(new GeneralName(new X500Name( - params.issuerName))); + gen.addElement(new GeneralName(new X500Name(params.issuerName))); crlDP.setCRLIssuer(gen); } else if (nType == NameType.URI) { GeneralNames gen = new GeneralNames(); - gen.addElement(new GeneralName(new URIName( - params.issuerName))); + gen.addElement(new GeneralName(new URIName(params.issuerName))); crlDP.setCRLIssuer(gen); } else { String err = "Unknown name type: " + nType.toString(); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", - nType.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_UNKNOWN_NAME_TYPE", nType.toString())); throw new EBaseException(err); } } @@ -439,16 +420,16 @@ public class CRLDistributionPointsExt extends APolicyRule implements try { // find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); // prepare the extensions data structure if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { // remove any previously computed version of the extension @@ -463,19 +444,15 @@ public class CRLDistributionPointsExt extends APolicyRule implements return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, - e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR", NAME, e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, + e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", + e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, + e.getMessage()); return PolicyResult.REJECTED; } } @@ -494,7 +471,7 @@ public class CRLDistributionPointsExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java index ac32550e..4490b25e 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificatePoliciesExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -49,20 +50,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Certificate Policies. Adds certificate policies extension. + * Certificate Policies. + * Adds certificate policies extension. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class CertificatePoliciesExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class CertificatePoliciesExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_NUM_CERTPOLICIES = "numCertPolicies"; @@ -89,46 +91,42 @@ public class CertificatePoliciesExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate=certType==ca - * ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate=certType==ca + * ca.Policy.rule.<ruleName>.implName= + * ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); - mNumCertPolicies = mConfig.getInteger(PROP_NUM_CERTPOLICIES, - DEF_NUM_CERTPOLICIES); + mNumCertPolicies = mConfig.getInteger( + PROP_NUM_CERTPOLICIES, DEF_NUM_CERTPOLICIES); if (mNumCertPolicies < 1) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_ATTR_VALUE_2", NAME, "")); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", PROP_NUM_CERTPOLICIES, - "value must be greater than or equal to 1")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_ATTR_VALUE_2", NAME, "")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_NUM_CERTPOLICIES, + "value must be greater than or equal to 1")); } - // init Policy Mappings, check values if enabled. + // init Policy Mappings, check values if enabled. mCertPolicies = new CertPolicy[mNumCertPolicies]; for (int i = 0; i < mNumCertPolicies; i++) { String subtreeName = PROP_CERTPOLICY + i; try { - mCertPolicies[i] = new CertPolicy(subtreeName, mConfig, - mEnabled); + mCertPolicies[i] = new CertPolicy(subtreeName, mConfig, mEnabled); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - NAME - + ": " - + CMS.getLogMessage( - "POLICY_ERROR_CREATE_CERT_POLICY", - e.toString())); + log(ILogger.LL_FAILURE, NAME + ": " + + CMS.getLogMessage("POLICY_ERROR_CREATE_CERT_POLICY", e.toString())); throw e; } } @@ -139,22 +137,22 @@ public class CertificatePoliciesExt extends APolicyRule implements Vector CertPolicies = new Vector(); for (int j = 0; j < mNumCertPolicies; j++) { - CertPolicies - .addElement(mCertPolicies[j].mCertificatePolicyInfo); + CertPolicies.addElement( + mCertPolicies[j].mCertificatePolicyInfo); } - mCertificatePoliciesExtension = new CertificatePoliciesExtension( - mCritical, CertPolicies); + mCertificatePoliciesExtension = + new CertificatePoliciesExtension(mCritical, CertPolicies); } catch (IOException e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", "Error initializing " + NAME - + " Error: " + e)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Error initializing " + NAME + " Error: " + e)); } } - // form instance params + // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement(PROP_NUM_CERTPOLICIES + "=" - + mNumCertPolicies); + mInstanceParams.addElement( + PROP_NUM_CERTPOLICIES + "=" + mNumCertPolicies); for (int i = 0; i < mNumCertPolicies; i++) { mCertPolicies[i].getInstanceParams(mInstanceParams); } @@ -163,18 +161,19 @@ public class CertificatePoliciesExt extends APolicyRule implements /** * Applies the policy on the given Request. * <p> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { // get certInfo from request. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -190,13 +189,13 @@ public class CertificatePoliciesExt extends APolicyRule implements CertificateExtensions extensions = null; try { - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); if (extensions == null) { extensions = new CertificateExtensions(); try { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (Exception e) { } @@ -205,9 +204,8 @@ public class CertificatePoliciesExt extends APolicyRule implements try { extensions.delete(CertificatePoliciesExtension.NAME); } catch (IOException e) { - // this is the hack: for some reason, the key which is the - // name - // of the policy has been converted into the OID + // this is the hack: for some reason, the key which is the name + // of the policy has been converted into the OID try { extensions.delete("2.5.29.32"); } catch (IOException ee) { @@ -215,33 +213,24 @@ public class CertificatePoliciesExt extends APolicyRule implements } } extensions.set(CertificatePoliciesExtension.NAME, - mCertificatePoliciesExtension); + mCertificatePoliciesExtension); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", - e.toString())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), - NAME); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", + e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", - e.toString())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), - NAME); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", + e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", - e.toString())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), - NAME); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", + e.toString())); + setError(req, + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } return PolicyResult.ACCEPTED; @@ -249,82 +238,74 @@ public class CertificatePoliciesExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** - * Default config parameters. To add more permitted or excluded subtrees, - * increase the num to greater than 0 and more configuration params will - * show up in the console. + * Default config parameters. + * To add more permitted or excluded subtrees, + * increase the num to greater than 0 and more configuration params + * will show up in the console. */ private static Vector mDefParams = new Vector(); static { mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefParams.addElement(PROP_NUM_CERTPOLICIES + "=" - + DEF_NUM_CERTPOLICIES); + mDefParams.addElement( + PROP_NUM_CERTPOLICIES + "=" + DEF_NUM_CERTPOLICIES); String certPolicy0Dot = PROP_CERTPOLICY + "0."; - mDefParams.addElement(certPolicy0Dot - + CertPolicy.PROP_POLICY_IDENTIFIER + "=" + ""); - mDefParams.addElement(certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_ORG - + "=" + ""); - mDefParams.addElement(certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_NUMS - + "=" + ""); - mDefParams.addElement(certPolicy0Dot + CertPolicy.PROP_USER_NOTICE_TEXT - + "=" + ""); - mDefParams.addElement(certPolicy0Dot + CertPolicy.PROP_CPS_URI + "=" - + ""); + mDefParams.addElement( + certPolicy0Dot + CertPolicy.PROP_POLICY_IDENTIFIER + "=" + ""); + mDefParams.addElement( + certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_ORG + "=" + ""); + mDefParams.addElement( + certPolicy0Dot + CertPolicy.PROP_NOTICE_REF_NUMS + "=" + ""); + mDefParams.addElement( + certPolicy0Dot + CertPolicy.PROP_USER_NOTICE_TEXT + "=" + ""); + mDefParams.addElement( + certPolicy0Dot + CertPolicy.PROP_CPS_URI + "=" + ""); } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } public String[] getExtendedPluginInfo(Locale locale) { Vector theparams = new Vector(); - - theparams.addElement(PROP_CRITICAL - + ";boolean;RFC 3280 recommendation: MUST be non-critical."); - theparams - .addElement(PROP_NUM_CERTPOLICIES - + ";number; Number of certificate policies. The value must be greater than or equal to 1"); + + theparams.addElement(PROP_CRITICAL + ";boolean;RFC 3280 recommendation: MUST be non-critical."); + theparams.addElement(PROP_NUM_CERTPOLICIES + ";number; Number of certificate policies. The value must be greater than or equal to 1"); for (int k = 0; k < 5; k++) { String certPolicykDot = PROP_CERTPOLICY + k + "."; - theparams - .addElement(certPolicykDot - + CertPolicy.PROP_POLICY_IDENTIFIER - + ";string,required;An object identifier in the form n.n.n.n"); - theparams.addElement(certPolicykDot - + CertPolicy.PROP_NOTICE_REF_ORG - + ";string;See RFC 3280 sec 4.2.1.5"); - theparams - .addElement(certPolicykDot - + CertPolicy.PROP_NOTICE_REF_NUMS - + ";string;comma-separated list of numbers. See RFC 3280 sec 4.2.1.5"); - theparams.addElement(certPolicykDot - + CertPolicy.PROP_USER_NOTICE_TEXT - + ";string;See RFC 3280 sec 4.2.1.5"); - theparams.addElement(certPolicykDot + CertPolicy.PROP_CPS_URI - + ";string;See RFC 3280 sec 4.2.1.5"); + theparams.addElement(certPolicykDot + + CertPolicy.PROP_POLICY_IDENTIFIER + ";string,required;An object identifier in the form n.n.n.n"); + theparams.addElement(certPolicykDot + + CertPolicy.PROP_NOTICE_REF_ORG + ";string;See RFC 3280 sec 4.2.1.5"); + theparams.addElement(certPolicykDot + + CertPolicy.PROP_NOTICE_REF_NUMS + + ";string;comma-separated list of numbers. See RFC 3280 sec 4.2.1.5"); + theparams.addElement(certPolicykDot + + CertPolicy.PROP_USER_NOTICE_TEXT + ";string;See RFC 3280 sec 4.2.1.5"); + theparams.addElement(certPolicykDot + + CertPolicy.PROP_CPS_URI + ";string;See RFC 3280 sec 4.2.1.5"); } - theparams.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-certificatepolicies"); - theparams - .addElement(IExtendedPluginInfo.HELP_TEXT - + ";Adds Certificate Policies Extension. See RFC 3280 (4.2.1.5)"); + theparams.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-certificatepolicies"); + theparams.addElement(IExtendedPluginInfo.HELP_TEXT + + ";Adds Certificate Policies Extension. See RFC 3280 (4.2.1.5)"); String[] params = new String[theparams.size()]; @@ -333,6 +314,7 @@ public class CertificatePoliciesExt extends APolicyRule implements } } + class CertPolicy { protected static final String PROP_POLICY_IDENTIFIER = "policyId"; @@ -355,35 +337,34 @@ class CertPolicy { /** * forms policy map parameters. - * * @param name name of this policy map, for example certPolicy0 * @param config parent's config from where we find this configuration. * @param enabled whether policy was enabled. */ - protected CertPolicy(String name, IConfigStore config, boolean enabled) - throws EBaseException { + protected CertPolicy(String name, IConfigStore config, boolean enabled) + throws EBaseException { mName = name; mConfig = config.getSubStore(mName); mNameDot = mName + "."; - if (mConfig == null) { - CMS.debug("CertificatePoliciesExt::CertPolicy - mConfig is " - + "null!"); - throw new EBaseException("mConfig is null"); + if( mConfig == null ) { + CMS.debug( "CertificatePoliciesExt::CertPolicy - mConfig is " + + "null!" ); + throw new EBaseException( "mConfig is null" ); } // if there's no configuration for this policy put it there. if (mConfig.size() == 0) { - config.putString(mNameDot + PROP_POLICY_IDENTIFIER, ""); - config.putString(mNameDot + PROP_NOTICE_REF_ORG, ""); - config.putString(mNameDot + PROP_NOTICE_REF_NUMS, ""); - config.putString(mNameDot + PROP_USER_NOTICE_TEXT, ""); - config.putString(mNameDot + PROP_CPS_URI, ""); + config.putString(mNameDot + PROP_POLICY_IDENTIFIER, ""); + config.putString(mNameDot + PROP_NOTICE_REF_ORG, ""); + config.putString(mNameDot + PROP_NOTICE_REF_NUMS, ""); + config.putString(mNameDot + PROP_USER_NOTICE_TEXT, ""); + config.putString(mNameDot + PROP_CPS_URI, ""); mConfig = config.getSubStore(mName); - if (mConfig == null || mConfig.size() == 0) { - CMS.debug("CertificatePoliciesExt::CertPolicy - mConfig " - + "is null or empty!"); - throw new EBaseException("mConfig is null or empty"); + if(mConfig == null || mConfig.size() == 0) { + CMS.debug( "CertificatePoliciesExt::CertPolicy - mConfig " + + "is null or empty!" ); + throw new EBaseException( "mConfig is null or empty" ); } } @@ -395,71 +376,71 @@ class CertPolicy { mCpsUri = mConfig.getString(PROP_CPS_URI, null); // adjust for "" and console returning "null" - if (mPolicyId != null - && (mPolicyId.length() == 0 || mPolicyId.equals("null"))) { + if (mPolicyId != null && + (mPolicyId.length() == 0 || + mPolicyId.equals("null"))) { mPolicyId = null; } - if (mNoticeRefOrg != null - && (mNoticeRefOrg.length() == 0 || mNoticeRefOrg.equals("null"))) { + if (mNoticeRefOrg != null && + (mNoticeRefOrg.length() == 0 || + mNoticeRefOrg.equals("null"))) { mNoticeRefOrg = null; } - if (mNoticeRefNums != null - && (mNoticeRefNums.length() == 0 || mNoticeRefNums - .equals("null"))) { + if (mNoticeRefNums != null && + (mNoticeRefNums.length() == 0 || + mNoticeRefNums.equals("null"))) { mNoticeRefNums = null; } - if (mNoticeRefExplicitText != null - && (mNoticeRefExplicitText.length() == 0 || mNoticeRefExplicitText - .equals("null"))) { + if (mNoticeRefExplicitText != null && + (mNoticeRefExplicitText.length() == 0 || + mNoticeRefExplicitText.equals("null"))) { mNoticeRefExplicitText = null; } - if (mCpsUri != null - && (mCpsUri.length() == 0 || mCpsUri.equals("null"))) { + if (mCpsUri != null && + (mCpsUri.length() == 0 || + mCpsUri.equals("null"))) { mCpsUri = null; } // policy ids cannot be null if policy is enabled. String msg = "value cannot be null."; - if (mPolicyId == null && enabled) - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", mNameDot - + PROP_POLICY_IDENTIFIER, msg)); + if (mPolicyId == null && enabled) + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + mNameDot + PROP_POLICY_IDENTIFIER, msg)); msg = "NoticeReference is optional; If chosen to include, NoticeReference must at least has 'organization'"; - if (mNoticeRefOrg == null && mNoticeRefNums != null && enabled) - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", mNameDot - + PROP_NOTICE_REF_ORG, msg)); - - // if a policy id is not null check that it is a valid OID. + if (mNoticeRefOrg == null && mNoticeRefNums != null && enabled) + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + mNameDot + PROP_NOTICE_REF_ORG, msg)); + + // if a policy id is not null check that it is a valid OID. ObjectIdentifier policyId = null; - if (mPolicyId != null) - policyId = CMS.checkOID(mNameDot + PROP_POLICY_IDENTIFIER, - mPolicyId); - - // if enabled, form CertificatePolicyInfo to be encoded in - // extension. Policy ids should be all set. + if (mPolicyId != null) + policyId = CMS.checkOID( + mNameDot + PROP_POLICY_IDENTIFIER, mPolicyId); + + // if enabled, form CertificatePolicyInfo to be encoded in + // extension. Policy ids should be all set. if (enabled) { - CMS.debug("CertPolicy: in CertPolicy"); + CMS.debug("CertPolicy: in CertPolicy"); DisplayText displayText = null; - if (mNoticeRefExplicitText != null - && !mNoticeRefExplicitText.equals("")) - displayText = new DisplayText(DisplayText.tag_VisibleString, - mNoticeRefExplicitText); - // new DisplayText(DisplayText.tag_IA5String, - // mNoticeRefExplicitText); + if (mNoticeRefExplicitText != null && + !mNoticeRefExplicitText.equals("")) + displayText = new DisplayText(DisplayText.tag_VisibleString, mNoticeRefExplicitText); + // new DisplayText(DisplayText.tag_IA5String, mNoticeRefExplicitText); DisplayText orgName = null; - if (mNoticeRefOrg != null && !mNoticeRefOrg.equals("")) - orgName = new DisplayText(DisplayText.tag_VisibleString, - mNoticeRefOrg); - // new DisplayText(DisplayText.tag_VisibleString, mNoticeRefOrg); + if (mNoticeRefOrg != null && + !mNoticeRefOrg.equals("")) + orgName = + new DisplayText(DisplayText.tag_VisibleString, mNoticeRefOrg); + // new DisplayText(DisplayText.tag_VisibleString, mNoticeRefOrg); - int[] nums = new int[0]; - ; - if (mNoticeRefNums != null && !mNoticeRefNums.equals("")) { + int[] nums = new int[0];; + if (mNoticeRefNums != null && + !mNoticeRefNums.equals("")) { // should add a method to NoticeReference to take a // Vector...but let's do this for now @@ -485,27 +466,26 @@ class CertPolicy { CertificatePolicyId cpolicyId = null; try { - cpolicyId = new CertificatePolicyId( - ObjectIdentifier.getObjectIdentifier(mPolicyId)); + cpolicyId = new CertificatePolicyId(ObjectIdentifier.getObjectIdentifier(mPolicyId)); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_POLICY_CERTIFICATE_POLICIES_ERROR", mPolicyId)); + throw new + EBaseException(CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR", mPolicyId)); } PolicyQualifiers policyQualifiers = new PolicyQualifiers(); - + NoticeReference noticeReference = null; - + if (orgName != null) noticeReference = new NoticeReference(orgName, nums); UserNotice userNotice = null; if (displayText != null || noticeReference != null) { - userNotice = new UserNotice(noticeReference, displayText); - - PolicyQualifierInfo policyQualifierInfo1 = new PolicyQualifierInfo( - PolicyQualifierInfo.QT_UNOTICE, userNotice); + userNotice = new UserNotice (noticeReference, displayText); + + PolicyQualifierInfo policyQualifierInfo1 = + new PolicyQualifierInfo(PolicyQualifierInfo.QT_UNOTICE, userNotice); policyQualifiers.add(policyQualifierInfo1); } @@ -513,48 +493,46 @@ class CertPolicy { CPSuri cpsUri = null; if (mCpsUri != null && mCpsUri.length() > 0) { - cpsUri = new CPSuri(mCpsUri); - PolicyQualifierInfo policyQualifierInfo2 = new PolicyQualifierInfo( - PolicyQualifierInfo.QT_CPS, cpsUri); - + cpsUri = new CPSuri (mCpsUri); + PolicyQualifierInfo policyQualifierInfo2 = + new PolicyQualifierInfo(PolicyQualifierInfo.QT_CPS, cpsUri); + policyQualifiers.add(policyQualifierInfo2); } - if ((mNoticeRefOrg == null || mNoticeRefOrg.equals("")) - && (mNoticeRefExplicitText == null || mNoticeRefExplicitText - .equals("")) - && (mCpsUri == null || mCpsUri.equals(""))) { - CMS.debug("CertPolicy mNoticeRefOrg = " + mNoticeRefOrg); - CMS.debug("CertPolicy mNoticeRefExplicitText = " - + mNoticeRefExplicitText); - CMS.debug("CertPolicy mCpsUri = " + mCpsUri); + if ((mNoticeRefOrg == null || mNoticeRefOrg.equals("")) && + (mNoticeRefExplicitText == null || mNoticeRefExplicitText.equals("")) && + (mCpsUri == null || mCpsUri.equals(""))) { + CMS.debug("CertPolicy mNoticeRefOrg = "+mNoticeRefOrg); + CMS.debug("CertPolicy mNoticeRefExplicitText = "+mNoticeRefExplicitText); + CMS.debug("CertPolicy mCpsUri = "+mCpsUri); mCertificatePolicyInfo = new CertificatePolicyInfo(cpolicyId); } else { - CMS.debug("CertPolicy mNoticeRefOrg = " + mNoticeRefOrg); - CMS.debug("CertPolicy mNoticeRefExplicitText = " - + mNoticeRefExplicitText); - CMS.debug("CertPolicy mCpsUri = " + mCpsUri); - mCertificatePolicyInfo = new CertificatePolicyInfo(cpolicyId, - policyQualifiers); + CMS.debug("CertPolicy mNoticeRefOrg = "+mNoticeRefOrg); + CMS.debug("CertPolicy mNoticeRefExplicitText = "+mNoticeRefExplicitText); + CMS.debug("CertPolicy mCpsUri = "+mCpsUri); + mCertificatePolicyInfo = new CertificatePolicyInfo(cpolicyId, policyQualifiers); } } } protected void getInstanceParams(Vector instanceParams) { - instanceParams.addElement(mNameDot + PROP_POLICY_IDENTIFIER + "=" - + (mPolicyId == null ? "" : mPolicyId)); - instanceParams.addElement(mNameDot + PROP_NOTICE_REF_ORG + "=" - + (mNoticeRefOrg == null ? "" : mNoticeRefOrg)); - instanceParams.addElement(mNameDot + PROP_NOTICE_REF_NUMS + "=" - + (mNoticeRefNums == null ? "" : mNoticeRefNums)); - instanceParams - .addElement(mNameDot - + PROP_USER_NOTICE_TEXT - + "=" - + (mNoticeRefExplicitText == null ? "" - : mNoticeRefExplicitText)); - instanceParams.addElement(mNameDot + PROP_CPS_URI + "=" - + (mCpsUri == null ? "" : mCpsUri)); + instanceParams.addElement( + mNameDot + PROP_POLICY_IDENTIFIER + "=" + (mPolicyId == null ? "" : + mPolicyId)); + instanceParams.addElement( + mNameDot + PROP_NOTICE_REF_ORG + "=" + (mNoticeRefOrg == null ? "" : + mNoticeRefOrg)); + instanceParams.addElement( + mNameDot + PROP_NOTICE_REF_NUMS + "=" + (mNoticeRefNums == null ? "" : + mNoticeRefNums)); + instanceParams.addElement( + mNameDot + PROP_USER_NOTICE_TEXT + "=" + (mNoticeRefExplicitText == null ? "" : + mNoticeRefExplicitText)); + instanceParams.addElement( + mNameDot + PROP_CPS_URI + "=" + (mCpsUri == null ? "" : + mCpsUri)); } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java index bb665d9e..c5a24d63 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateRenewalWindowExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Date; @@ -39,20 +40,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * Certificate Renewal Window Extension Policy * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class CertificateRenewalWindowExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class CertificateRenewalWindowExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_END_TIME = "relativeEndTime"; protected static final String PROP_BEGIN_TIME = "relativeBeginTime"; @@ -63,8 +64,9 @@ public class CertificateRenewalWindowExt extends APolicyRule implements protected String mEndTime; /** - * Adds the Netscape comment in the end-entity certificates or CA - * certificates. The policy is set to be non-critical with the provided OID. + * Adds the Netscape comment in the end-entity certificates or + * CA certificates. The policy is set to be non-critical with the + * provided OID. */ public CertificateRenewalWindowExt() { NAME = "CertificateRenewalWindowExt"; @@ -73,11 +75,11 @@ public class CertificateRenewalWindowExt extends APolicyRule implements /** * Initializes this policy rule. - * - * @param config The config store reference + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mCritical = config.getBoolean(PROP_CRITICAL, false); mBeginTime = config.getString(PROP_BEGIN_TIME, null); mEndTime = config.getString(PROP_END_TIME, null); @@ -87,15 +89,16 @@ public class CertificateRenewalWindowExt extends APolicyRule implements /** * Applies the policy on the given Request. * <p> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -116,8 +119,8 @@ public class CertificateRenewalWindowExt extends APolicyRule implements CertificateExtensions extensions = null; try { - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); } catch (IOException e) { } catch (CertificateException e) { } @@ -125,8 +128,8 @@ public class CertificateRenewalWindowExt extends APolicyRule implements if (extensions == null) { extensions = new CertificateExtensions(); try { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (Exception e) { } @@ -134,10 +137,10 @@ public class CertificateRenewalWindowExt extends APolicyRule implements // remove any previously computed version of the extension try { extensions.delete(CertificateRenewalWindowExtension.NAME); - + } catch (IOException e) { // this is the hack: for some reason, the key which is the name - // of the policy has been converted into the OID + // of the policy has been converted into the OID try { extensions.delete("2.16.840.1.113730.1.15"); } catch (IOException ee) { @@ -150,21 +153,23 @@ public class CertificateRenewalWindowExt extends APolicyRule implements CertificateRenewalWindowExtension crwExt = null; if (mEndTime == null || mEndTime.equals("")) { - crwExt = new CertificateRenewalWindowExtension(mCritical, - getDateValue(now, mBeginTime), null); + crwExt = new CertificateRenewalWindowExtension( + mCritical, + getDateValue(now, mBeginTime), + null); } else { - crwExt = new CertificateRenewalWindowExtension(mCritical, - getDateValue(now, mBeginTime), getDateValue(now, - mEndTime)); + crwExt = new CertificateRenewalWindowExtension( + mCritical, + getDateValue(now, mBeginTime), + getDateValue(now, mEndTime)); } - extensions.set(CertificateRenewalWindowExtension.NAME, crwExt); + extensions.set(CertificateRenewalWindowExtension.NAME, + crwExt); } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME)); - setError( - req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), - NAME); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME)); + setError(req, + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } return PolicyResult.ACCEPTED; @@ -174,18 +179,20 @@ public class CertificateRenewalWindowExt extends APolicyRule implements long time; if (s.endsWith("s")) { - time = 1000 * Long.parseLong(s.substring(0, s.length() - 1)); + time = 1000 * Long.parseLong(s.substring(0, + s.length() - 1)); } else if (s.endsWith("m")) { - time = 60 * 1000 * Long.parseLong(s.substring(0, s.length() - 1)); + time = 60 * 1000 * Long.parseLong(s.substring(0, + s.length() - 1)); } else if (s.endsWith("h")) { - time = 60 * 60 * 1000 * Long.parseLong(s.substring(0, - s.length() - 1)); + time = 60 * 60 * 1000 * Long.parseLong(s.substring(0, + s.length() - 1)); } else if (s.endsWith("D")) { - time = 24 * 60 * 60 * 1000 - * Long.parseLong(s.substring(0, s.length() - 1)); + time = 24 * 60 * 60 * 1000 * Long.parseLong( + s.substring(0, s.length() - 1)); } else if (s.endsWith("M")) { - time = 30 * 60 * 60 * 1000 - * Long.parseLong(s.substring(0, s.length() - 1)); + time = 30 * 60 * 60 * 1000 * Long.parseLong( + s.substring(0, s.length() - 1)); } else { time = 1000 * Long.parseLong(s); } @@ -195,16 +202,14 @@ public class CertificateRenewalWindowExt extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL - + ";boolean;Netscape recommendation: non-critical.", - PROP_BEGIN_TIME - + ";string;Start Time in seconds (Relative to the time of issuance). Optionally, time unit (s - seconds, m - minutes, h - hours, D - days, M - months) can be specified right after the value. For example, 5 days can be expressed as 5D.", - PROP_END_TIME - + ";string;End Time in seconds (Optional, Relative to the time of issuance). Optionally, time unit (s - seconds, m - minutes, h - hours, D - days, M - months) can be specified right after the value. For example, 5 days can be expressed as 5D.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-certificaterenewalwindow", - IExtendedPluginInfo.HELP_TEXT - + ";Adds 'Certificate Renewal Window' extension. See manual" }; + PROP_CRITICAL + ";boolean;Netscape recommendation: non-critical.", + PROP_BEGIN_TIME + ";string;Start Time in seconds (Relative to the time of issuance). Optionally, time unit (s - seconds, m - minutes, h - hours, D - days, M - months) can be specified right after the value. For example, 5 days can be expressed as 5D.", + PROP_END_TIME + ";string;End Time in seconds (Optional, Relative to the time of issuance). Optionally, time unit (s - seconds, m - minutes, h - hours, D - days, M - months) can be specified right after the value. For example, 5 days can be expressed as 5D.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-certificaterenewalwindow", + IExtendedPluginInfo.HELP_TEXT + + ";Adds 'Certificate Renewal Window' extension. See manual" + }; return params; @@ -212,10 +217,10 @@ public class CertificateRenewalWindowExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_CRITICAL + "=" + mCritical); @@ -234,10 +239,10 @@ public class CertificateRenewalWindowExt extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java index a1721229..e6cbddf6 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/CertificateScopeOfUseExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -42,26 +43,31 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Certificate Scope Of Use extension policy. This extension is defined in - * draft-thayes-cert-scope-00.txt + * Certificate Scope Of Use extension policy. This extension + * is defined in draft-thayes-cert-scope-00.txt * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class CertificateScopeOfUseExt extends APolicyRule implements +public class CertificateScopeOfUseExt extends APolicyRule implements IEnrollmentPolicy, IExtendedPluginInfo { - protected static final String PROP_CRITICAL = "critical"; - protected static final String PROP_ENTRY = "entry"; - protected static final String PROP_NAME = "name"; - protected static final String PROP_NAME_TYPE = "name_type"; - protected static final String PROP_PORT_NUMBER = "port_number"; + protected static final String PROP_CRITICAL = + "critical"; + protected static final String PROP_ENTRY = + "entry"; + protected static final String PROP_NAME = + "name"; + protected static final String PROP_NAME_TYPE = + "name_type"; + protected static final String PROP_PORT_NUMBER = + "port_number"; public static final int MAX_ENTRY = 5; @@ -75,22 +81,17 @@ public class CertificateScopeOfUseExt extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { Vector v = new Vector(); - v.addElement(PROP_CRITICAL - + ";boolean; This extension may be either critical or non-critical."); - v.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-certificatescopeofuse"); - v.addElement(IExtendedPluginInfo.HELP_TEXT - + ";Adds Certificate Scope of Use Extension."); + v.addElement(PROP_CRITICAL + + ";boolean; This extension may be either critical or non-critical."); + v.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-certificatescopeofuse"); + v.addElement(IExtendedPluginInfo.HELP_TEXT + + ";Adds Certificate Scope of Use Extension."); for (int i = 0; i < MAX_ENTRY; i++) { - v.addElement(PROP_ENTRY + Integer.toString(i) + "_" + PROP_NAME - + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO); - v.addElement(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_NAME_TYPE + ";" - + IGeneralNameUtil.GENNAME_CHOICE_INFO); - v.addElement(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_PORT_NUMBER + ";string;" - + "The port number (optional)."); + v.addElement(PROP_ENTRY + Integer.toString(i) + "_" + PROP_NAME + ";" + IGeneralNameUtil.GENNAME_VALUE_INFO); + v.addElement(PROP_ENTRY + Integer.toString(i) + "_" + PROP_NAME_TYPE + ";" + IGeneralNameUtil.GENNAME_CHOICE_INFO); + v.addElement(PROP_ENTRY + Integer.toString(i) + "_" + PROP_PORT_NUMBER + ";string;" + "The port number (optional)."); } return com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } @@ -98,17 +99,17 @@ public class CertificateScopeOfUseExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.predicate= - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=AuthInfoAccessExt + * ca.Policy.rule.<ruleName>.enable=true + * ca.Policy.rule.<ruleName>.predicate= + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; } @@ -123,8 +124,8 @@ public class CertificateScopeOfUseExt extends APolicyRule implements // for (int i = 0;; i++) { // get port number (optional) - String port = mConfig.getString(PROP_ENTRY + Integer.toString(i) - + "_" + PROP_PORT_NUMBER, null); + String port = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + "_" + PROP_PORT_NUMBER, null); BigInt portNumber = null; if (port != null && !port.equals("")) { @@ -136,11 +137,12 @@ public class CertificateScopeOfUseExt extends APolicyRule implements // TAG ::= uriName | dirName // VALUE ::= [value defined by TAG] // - String name_type = mConfig.getString( - PROP_ENTRY + Integer.toString(i) + "_" + PROP_NAME_TYPE, - null); - String name = mConfig.getString(PROP_ENTRY + Integer.toString(i) - + "_" + PROP_NAME, null); + String name_type = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + + "_" + PROP_NAME_TYPE, null); + String name = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + + "_" + PROP_NAME, null); if (name == null || name.equals("")) break; @@ -152,10 +154,10 @@ public class CertificateScopeOfUseExt extends APolicyRule implements } /** - * If this policy is enabled, add the authority information access extension - * to the certificate. + * If this policy is enabled, add the authority information + * access extension to the certificate. * <P> - * + * * @param req The request on which to apply policy. * @return The policy result object. */ @@ -163,10 +165,11 @@ public class CertificateScopeOfUseExt extends APolicyRule implements PolicyResult res = PolicyResult.ACCEPTED; X509CertInfo certInfo; - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = req.getExtDataInCertInfoArray( + IRequest.CERT_INFO); if (ci == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -174,73 +177,64 @@ public class CertificateScopeOfUseExt extends APolicyRule implements certInfo = ci[j]; if (certInfo == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", NAME)); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Configuration Info Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_INFO_ERROR", NAME)); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Configuration Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } try { // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); // add access descriptions Vector entries = getScopeEntries(); if (entries.size() == 0) { return res; - } - + } + if (extensions == null) { // create extension if not exist - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { // check to see if AIA is already exist try { extensions.delete(CertificateScopeOfUseExtension.NAME); - log(ILogger.LL_INFO, "Previous extension deleted: " - + CertificateScopeOfUseExtension.NAME); + log(ILogger.LL_INFO, "Previous extension deleted: " + CertificateScopeOfUseExtension.NAME); } catch (IOException ex) { } } // Create the extension - CertificateScopeOfUseExtension suExt = new CertificateScopeOfUseExtension( - mConfig.getBoolean(PROP_CRITICAL, false), entries); + CertificateScopeOfUseExtension suExt = new + CertificateScopeOfUseExtension(mConfig.getBoolean( + PROP_CRITICAL, false), entries); extensions.set(CertificateScopeOfUseExtension.NAME, suExt); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - "Configuration Info Error encountered: " - + e.getMessage()); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Configuration Info Error"); + log(ILogger.LL_FAILURE, + "Configuration Info Error encountered: " + + e.getMessage()); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Configuration Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } } @@ -250,15 +244,15 @@ public class CertificateScopeOfUseExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); try { - params.addElement(PROP_CRITICAL + "=" - + mConfig.getBoolean(PROP_CRITICAL, false)); + params.addElement(PROP_CRITICAL + "=" + + mConfig.getBoolean(PROP_CRITICAL, false)); } catch (EBaseException e) { } @@ -266,44 +260,50 @@ public class CertificateScopeOfUseExt extends APolicyRule implements String name_type = null; try { - name_type = mConfig.getString(PROP_ENTRY + Integer.toString(i) - + "_" + PROP_NAME_TYPE, null); + name_type = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + "_" + PROP_NAME_TYPE, + null); } catch (EBaseException e) { } if (name_type == null) break; - params.addElement(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_NAME_TYPE + "=" + name_type); + params.addElement(PROP_ENTRY + + Integer.toString(i) + + "_" + PROP_NAME_TYPE + "=" + name_type); String name = null; try { - name = mConfig.getString(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_NAME, null); + name = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + "_" + PROP_NAME, + null); } catch (EBaseException e) { } if (name == null) break; - params.addElement(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_NAME + "=" + name); + params.addElement(PROP_ENTRY + + Integer.toString(i) + + "_" + PROP_NAME + "=" + name); String port = null; try { - port = mConfig.getString(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_PORT_NUMBER, ""); + port = mConfig.getString(PROP_ENTRY + + Integer.toString(i) + "_" + PROP_PORT_NUMBER, + ""); } catch (EBaseException e) { } - params.addElement(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_PORT_NUMBER + "=" + port); + params.addElement(PROP_ENTRY + + Integer.toString(i) + + "_" + PROP_PORT_NUMBER + "=" + port); } return params; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); @@ -314,13 +314,14 @@ public class CertificateScopeOfUseExt extends APolicyRule implements // the CMS.cfg // for (int i = 0; i < MAX_ENTRY; i++) { - defParams.addElement(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_NAME_TYPE + "="); - defParams.addElement(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_NAME + "="); - defParams.addElement(PROP_ENTRY + Integer.toString(i) + "_" - + PROP_PORT_NUMBER + "="); + defParams.addElement(PROP_ENTRY + Integer.toString(i) + + "_" + PROP_NAME_TYPE + "="); + defParams.addElement(PROP_ENTRY + Integer.toString(i) + + "_" + PROP_NAME + "="); + defParams.addElement(PROP_ENTRY + Integer.toString(i) + + "_" + PROP_PORT_NUMBER + "="); } return defParams; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java index 660c0026..b5c4176d 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/ExtendedKeyUsageExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -39,20 +40,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * This implements the extended key usage extension. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class ExtendedKeyUsageExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class ExtendedKeyUsageExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { public static final String PROP_CRITICAL = "critical"; protected static final String PROP_PURPOSE_ID = "id"; protected static final String PROP_NUM_IDS = "numIds"; @@ -62,7 +63,7 @@ public class ExtendedKeyUsageExt extends APolicyRule implements private Vector mUsages = null; private String[] mParams = null; - + // PKIX specifies the that the extension SHOULD NOT be critical public static final boolean DEFAULT_CRITICALITY = false; @@ -80,7 +81,7 @@ public class ExtendedKeyUsageExt extends APolicyRule implements * Performs one-time initialization of the policy. */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; setExtendedPluginInfo(); setupParams(); @@ -97,7 +98,8 @@ public class ExtendedKeyUsageExt extends APolicyRule implements return PolicyResult.ACCEPTED; } - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -116,16 +118,16 @@ public class ExtendedKeyUsageExt extends APolicyRule implements public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { // find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); // prepare the extensions data structure if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { try { @@ -139,22 +141,19 @@ public class ExtendedKeyUsageExt extends APolicyRule implements return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, + e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", + e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, + e.getMessage()); return PolicyResult.REJECTED; } } - + /** * Returns instance specific parameters. */ @@ -173,15 +172,16 @@ public class ExtendedKeyUsageExt extends APolicyRule implements for (int i = 0; i < numIds; i++) { if (mUsages.size() <= i) { - params.addElement(PROP_PURPOSE_ID + Integer.toString(i) + "="); + params.addElement(PROP_PURPOSE_ID + + Integer.toString(i) + "="); } else { usage = ((ObjectIdentifier) mUsages.elementAt(i)).toString(); if (usage == null) { - params.addElement(PROP_PURPOSE_ID + Integer.toString(i) - + "="); + params.addElement(PROP_PURPOSE_ID + + Integer.toString(i) + "="); } else { - params.addElement(PROP_PURPOSE_ID + Integer.toString(i) - + "=" + usage); + params.addElement(PROP_PURPOSE_ID + + Integer.toString(i) + "=" + usage); } } } @@ -199,20 +199,18 @@ public class ExtendedKeyUsageExt extends APolicyRule implements } } for (int i = 0; i < mNum; i++) { - v.addElement(PROP_PURPOSE_ID - + Integer.toString(i) - + ";string;" - + "A unique,valid OID specified in dot-separated numeric component notation. e.g. 2.16.840.1.113730.1.99"); + v.addElement(PROP_PURPOSE_ID + Integer.toString(i) + ";string;" + + "A unique,valid OID specified in dot-separated numeric component notation. e.g. 2.16.840.1.113730.1.99"); } v.addElement(PROP_NUM_IDS + ";number;The total number of policy IDs."); - v.addElement(PROP_CRITICAL - + ";boolean;RFC 2459 recommendation: This extension may, at the option of the certificate issuer, be either critical or non-critical."); - v.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-extendedkeyusage"); - v.addElement(IExtendedPluginInfo.HELP_TEXT - + ";Adds Extended Key Usage Extension. Defined in RFC 2459 " - + "(4.2.1.13)"); + v.addElement(PROP_CRITICAL + + ";boolean;RFC 2459 recommendation: This extension may, at the option of the certificate issuer, be either critical or non-critical."); + v.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-extendedkeyusage"); + v.addElement(IExtendedPluginInfo.HELP_TEXT + + ";Adds Extended Key Usage Extension. Defined in RFC 2459 " + + "(4.2.1.13)"); mParams = com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } @@ -223,7 +221,7 @@ public class ExtendedKeyUsageExt extends APolicyRule implements } return mParams; } - + /** * Returns default parameters. */ @@ -237,48 +235,44 @@ public class ExtendedKeyUsageExt extends APolicyRule implements } return defParams; } - + /** * Setups parameters. */ private void setupParams() throws EBaseException { - + mCritical = mConfig.getBoolean(PROP_CRITICAL, false); if (mUsages == null) { mUsages = new Vector(); } - + int mNum = mConfig.getInteger(PROP_NUM_IDS, MAX_PURPOSE_ID); for (int i = 0; i < mNum; i++) { ObjectIdentifier usageOID = null; - - String usage = mConfig.getString( - PROP_PURPOSE_ID + Integer.toString(i), null); + + String usage = mConfig.getString(PROP_PURPOSE_ID + + Integer.toString(i), null); try { - - if (usage == null) - break; + + if (usage == null) break; usage = usage.trim(); - if (usage.equals("")) - break; + if (usage.equals("")) break; if (usage.equalsIgnoreCase("ocspsigning")) { - usageOID = ObjectIdentifier - .getObjectIdentifier(ExtendedKeyUsageExtension.OID_OCSPSigning); + usageOID = ObjectIdentifier.getObjectIdentifier(ExtendedKeyUsageExtension.OID_OCSPSigning); } else if (usage.equalsIgnoreCase("codesigning")) { - usageOID = ObjectIdentifier - .getObjectIdentifier(ExtendedKeyUsageExtension.OID_CODESigning); + usageOID = ObjectIdentifier.getObjectIdentifier(ExtendedKeyUsageExtension.OID_CODESigning); } else { // it could be an object identifier, test it usageOID = ObjectIdentifier.getObjectIdentifier(usage); } } catch (IOException ex) { - throw new EBaseException(this.getClass().getName() + ":" - + ex.getMessage()); + throw new EBaseException(this.getClass().getName() + ":" + + ex.getMessage()); } catch (NumberFormatException ex) { - throw new EBaseException(this.getClass().getName() + ":" - + "OID '" + usage + "' format error"); + throw new EBaseException(this.getClass().getName() + ":" + + "OID '" + usage + "' format error"); } mUsages.addElement(usageOID); } diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java b/pki/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java index 0ce9362a..47e3de0c 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/GenericASN1Ext.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -45,10 +46,12 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Private Integer extension policy. If this policy is enabled, it adds an - * Private Integer extension to the certificate. - * + * Private Integer extension policy. + * If this policy is enabled, it adds an Private Integer + * extension to the certificate. + * * The following listed sample configuration parameters: * * ca.Policy.impl.privateInteger.class=com.netscape.certsrv.policy.genericASNExt @@ -75,242 +78,101 @@ import com.netscape.cms.policy.APolicyRule; * ca.Policy.rule.genericASNExt.implName=genericASNExt * ca.Policy.rule.genericASNExt.predicate= * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, - IExtendedPluginInfo { +public class GenericASN1Ext extends APolicyRule implements + IEnrollmentPolicy, IExtendedPluginInfo { protected static final int MAX_ATTR = 10; - protected static final String PROP_CRITICAL = "critical"; - protected static final String PROP_NAME = "name"; - protected static final String PROP_OID = "oid"; - protected static final String PROP_PATTERN = "pattern"; - protected static final String PROP_ATTRIBUTE = "attribute"; - protected static final String PROP_TYPE = "type"; - protected static final String PROP_SOURCE = "source"; - protected static final String PROP_VALUE = "value"; - protected static final String PROP_PREDICATE = "predicate"; - - protected static final String PROP_ENABLE = "enable"; + protected static final String PROP_CRITICAL = + "critical"; + protected static final String PROP_NAME = + "name"; + protected static final String PROP_OID = + "oid"; + protected static final String PROP_PATTERN = + "pattern"; + protected static final String PROP_ATTRIBUTE = + "attribute"; + protected static final String PROP_TYPE = + "type"; + protected static final String PROP_SOURCE = + "source"; + protected static final String PROP_VALUE = + "value"; + protected static final String PROP_PREDICATE = + "predicate"; + + protected static final String PROP_ENABLE = + "enable"; public IConfigStore mConfig = null; private String pattern = null; - + public String[] getExtendedPluginInfo(Locale locale) { String s[] = { "enable" + ";boolean;Enable this policy", "predicate" + ";string;", PROP_CRITICAL + ";boolean;", - PROP_NAME + ";string;Name for this extension.", - PROP_OID - + ";string;OID number for this extension. It should be unique.", + PROP_NAME + ";string;Name for this extension.", + PROP_OID + ";string;OID number for this extension. It should be unique.", PROP_PATTERN + ";string;Pattern for extension; {012}34", // Attribute 0 - PROP_ATTRIBUTE - + "." - + "0" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "0" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "0" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + PROP_ATTRIBUTE + "." + "0" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "0" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "0" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", // Attribute 1 - PROP_ATTRIBUTE - + "." - + "1" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "1" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "1" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + PROP_ATTRIBUTE + "." + "1" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "1" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "1" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", // Attribute 2 - PROP_ATTRIBUTE - + "." - + "2" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "2" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "2" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + PROP_ATTRIBUTE + "." + "2" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "2" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "2" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", // Attribute 3 - PROP_ATTRIBUTE - + "." - + "3" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "3" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "3" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + PROP_ATTRIBUTE + "." + "3" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "3" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "3" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", // Attribute 4 - PROP_ATTRIBUTE - + "." - + "4" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "4" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "4" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + PROP_ATTRIBUTE + "." + "4" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "4" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "4" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", // Attribute 5 - PROP_ATTRIBUTE - + "." - + "5" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "5" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "5" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + PROP_ATTRIBUTE + "." + "5" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "5" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "5" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", // Attribute 6 - PROP_ATTRIBUTE - + "." - + "6" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "6" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "6" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + PROP_ATTRIBUTE + "." + "6" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "6" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "6" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", // Attribute 7 - PROP_ATTRIBUTE - + "." - + "7" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "7" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "7" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + PROP_ATTRIBUTE + "." + "7" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "7" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "7" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", // Attribute 8 - PROP_ATTRIBUTE - + "." - + "8" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "8" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "8" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + PROP_ATTRIBUTE + "." + "8" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "8" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "8" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", // Attribute 9 - PROP_ATTRIBUTE - + "." - + "9" - + "." - + PROP_TYPE - + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", - PROP_ATTRIBUTE - + "." - + "9" - + "." - + PROP_SOURCE - + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", - PROP_ATTRIBUTE - + "." - + "9" - + "." - + PROP_VALUE - + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-genericasn1ext", - IExtendedPluginInfo.HELP_TEXT - + ";Adds Private extension based on ASN1. See manual" }; + PROP_ATTRIBUTE + "." + "9" + "." + PROP_TYPE + ";choice(Integer,IA5String,OctetString,PrintableString,VisibleString,UTCTime,OID,Boolean);Attribute type for extension", + PROP_ATTRIBUTE + "." + "9" + "." + PROP_SOURCE + ";choice(Value,File);Data Source for the extension. You can specify the value here or file name has value.", + PROP_ATTRIBUTE + "." + "9" + "." + PROP_VALUE + ";string;If data source is 'value', specity value here. If data source is 'file', specify the file name with full path.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-genericasn1ext", + IExtendedPluginInfo.HELP_TEXT + + ";Adds Private extension based on ASN1. See manual" + }; return s; } - + public GenericASN1Ext() { NAME = "GenericASN1Ext"; DESC = "Sets Generic extension for certificates"; @@ -319,17 +181,17 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=genericASNExt - * ca.Policy.rule.<ruleName>.enable=true - * ca.Policy.rule.<ruleName>.predicate= - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=genericASNExt + * ca.Policy.rule.<ruleName>.enable=true + * ca.Policy.rule.<ruleName>.predicate= + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; if (mConfig == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_INIT_ERROR")); @@ -340,33 +202,33 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, if (enable == false) return; - + String oid = mConfig.getString(PROP_OID, null); if ((oid == null) || (oid.length() == 0)) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_INIT_ERROR")); return; } - + String name = mConfig.getString(PROP_NAME, null); if ((name == null) || (name.length() == 0)) { log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_INIT_ERROR")); return; } - + try { if (File.separatorChar == '\\') { pattern = mConfig.getString(PROP_PATTERN, null); checkFilename(0); - } + } } catch (IOException e) { log(ILogger.LL_FAILURE, "" + e.toString()); } catch (EBaseException e) { log(ILogger.LL_FAILURE, "" + e.toString()); } - - // Check OID value + + // Check OID value CMS.checkOID(name, oid); pattern = mConfig.getString(PROP_PATTERN, null); checkOID(0); @@ -375,19 +237,18 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, ObjectIdentifier tmpid = new ObjectIdentifier(oid); if (OIDMap.getName(tmpid) == null) - OIDMap.addAttribute( - "netscape.security.extensions.GenericASN1Extension", - oid, name); + OIDMap.addAttribute("netscape.security.extensions.GenericASN1Extension", oid, name); } catch (CertificateException e) { log(ILogger.LL_FAILURE, "" + e.toString()); } - + } // Check filename - private int checkFilename(int index) throws IOException, EBaseException { + private int checkFilename(int index) + throws IOException, EBaseException { String source = null; - + while (index < pattern.length()) { char ch = pattern.charAt(index); @@ -401,30 +262,28 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, return index; default: - source = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." - + PROP_SOURCE, null); + source = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_SOURCE, null); if ((source != null) && (source.equalsIgnoreCase("file"))) { - String oValue = mConfig.getString(PROP_ATTRIBUTE + "." + ch - + "." + PROP_VALUE, null); + String oValue = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, null); String nValue = oValue.replace('\\', '/'); - mConfig.putString(PROP_ATTRIBUTE + "." + ch + "." - + PROP_VALUE, nValue); + mConfig.putString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, nValue); FileInputStream fis = new FileInputStream(nValue); fis.close(); - } + } } index++; - } + } return index; } // Check oid - private int checkOID(int index) throws EBaseException { + private int checkOID(int index) + throws EBaseException { String type = null; String oid = null; - + while (index < pattern.length()) { char ch = pattern.charAt(index); @@ -438,25 +297,23 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, return index; default: - type = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." - + PROP_TYPE, null); + type = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_TYPE, null); if ((type != null) && (type.equalsIgnoreCase("OID"))) { - oid = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." - + PROP_VALUE, null); + oid = mConfig.getString(PROP_ATTRIBUTE + "." + ch + "." + PROP_VALUE, null); CMS.checkOID(oid, oid); - } + } } index++; - } + } return index; } - + /** - * If this policy is enabled, add the private Integer information extension - * to the certificate. + * If this policy is enabled, add the private Integer + * information extension to the certificate. * <P> - * + * * @param req The request on which to apply policy. * @return The policy result object. */ @@ -464,9 +321,9 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, PolicyResult res = PolicyResult.ACCEPTED; X509CertInfo certInfo; X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + if (ci == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -474,24 +331,19 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, certInfo = ci[j]; if (certInfo == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", "")); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Configuration Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", "")); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, "Configuration Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } try { // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) certInfo.get(X509CertInfo.EXTENSIONS); if (extensions == null) { // create extension if not exist - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { @@ -506,50 +358,35 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, // Create the extension GenericASN1Extension priExt = mkExtension(); - + extensions.set(GenericASN1Extension.NAME, priExt); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Configuration Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Configuration Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (ParseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_EXTENSION_ERROR", - e.getMessage())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Pattern parsing error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_EXTENSION_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Pattern parsing error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_UNKNOWN_EXCEPTION", - e.getMessage())); - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Unknown Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_UNKNOWN_EXCEPTION", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Unknown Error"); return PolicyResult.REJECTED; // unrecoverable error. } } @@ -559,8 +396,8 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, /** * Construct GenericASN1Extension with value from CMS.cfg */ - protected GenericASN1Extension mkExtension() throws IOException, - EBaseException, ParseException { + protected GenericASN1Extension mkExtension() + throws IOException, EBaseException, ParseException { GenericASN1Extension ext; Hashtable h = new Hashtable(); @@ -576,52 +413,41 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, String proptype = PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE; String propsource = PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE; String propvalue = PROP_ATTRIBUTE + "." + idx + "." + PROP_VALUE; - + h.put(proptype, mConfig.getString(proptype, null)); h.put(propsource, mConfig.getString(propsource, null)); h.put(propvalue, mConfig.getString(propvalue, null)); } ext = new GenericASN1Extension(h); return ext; - } - + } + /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { int idx = 0; Vector params = new Vector(); try { - params.addElement(PROP_CRITICAL + "=" - + mConfig.getBoolean(PROP_CRITICAL, false)); - params.addElement(PROP_NAME + "=" - + mConfig.getString(PROP_NAME, null)); - params.addElement(PROP_OID + "=" - + mConfig.getString(PROP_OID, null)); - params.addElement(PROP_PATTERN + "=" - + mConfig.getString(PROP_PATTERN, null)); - + params.addElement(PROP_CRITICAL + "=" + mConfig.getBoolean(PROP_CRITICAL, false)); + params.addElement(PROP_NAME + "=" + mConfig.getString(PROP_NAME, null)); + params.addElement(PROP_OID + "=" + mConfig.getString(PROP_OID, null)); + params.addElement(PROP_PATTERN + "=" + mConfig.getString(PROP_PATTERN, null)); + for (idx = 0; idx < MAX_ATTR; idx++) { String proptype = PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE; - String propsource = PROP_ATTRIBUTE + "." + idx + "." - + PROP_SOURCE; - String propvalue = PROP_ATTRIBUTE + "." + idx + "." - + PROP_VALUE; - - params.addElement(proptype + "=" - + mConfig.getString(proptype, null)); - params.addElement(propsource + "=" - + mConfig.getString(propsource, null)); - params.addElement(propvalue + "=" - + mConfig.getString(propvalue, null)); + String propsource = PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE; + String propvalue = PROP_ATTRIBUTE + "." + idx + "." + PROP_VALUE; + + params.addElement(proptype + "=" + mConfig.getString(proptype, null)); + params.addElement(propsource + "=" + mConfig.getString(propsource, null)); + params.addElement(propvalue + "=" + mConfig.getString(propvalue, null)); } - params.addElement(PROP_PREDICATE + "=" - + mConfig.getString(PROP_PREDICATE, null)); - } catch (EBaseException e) { - ; + params.addElement(PROP_PREDICATE + "=" + mConfig.getString(PROP_PREDICATE, null)); + } catch (EBaseException e) {; } return params; @@ -629,28 +455,26 @@ public class GenericASN1Ext extends APolicyRule implements IEnrollmentPolicy, /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { int idx = 0; - + Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); defParams.addElement(PROP_NAME + "="); defParams.addElement(PROP_OID + "="); defParams.addElement(PROP_PATTERN + "="); - + for (idx = 0; idx < MAX_ATTR; idx++) { - defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE - + "="); - defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE - + "="); - defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_VALUE - + "="); + defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_TYPE + "="); + defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_SOURCE + "="); + defParams.addElement(PROP_ATTRIBUTE + "." + idx + "." + PROP_VALUE + "="); } - + return defParams; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java index bdf1701f..cc2751c0 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/IssuerAltNameExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -40,23 +41,23 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * Issuer Alt Name Extension policy. * - * This extension is used to associate Internet-style identities with the - * Certificate issuer. + * This extension is used to associate Internet-style identities + * with the Certificate issuer. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class IssuerAltNameExt extends APolicyRule implements IEnrollmentPolicy, - IExtendedPluginInfo { +public class IssuerAltNameExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { public static final String PROP_CRITICAL = "critical"; // PKIX specifies the that the extension SHOULD NOT be critical @@ -68,16 +69,15 @@ public class IssuerAltNameExt extends APolicyRule implements IEnrollmentPolicy, static { defaultParams.addElement(PROP_CRITICAL + "=" + DEFAULT_CRITICALITY); CMS.getGeneralNamesConfigDefaultParams(null, true, defaultParams); - + Vector info = new Vector(); - info.addElement(PROP_CRITICAL - + ";boolean;RFC 2459 recommendation: SHOULD NOT be marked critical."); - info.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-issueraltname"); - info.addElement(IExtendedPluginInfo.HELP_TEXT - + ";This policy inserts the Issuer Alternative Name " - + "Extension into the certificate. See RFC 2459 (4.2.1.8). "); + info.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: SHOULD NOT be marked critical."); + info.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-issueraltname"); + info.addElement(IExtendedPluginInfo.HELP_TEXT + + ";This policy inserts the Issuer Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.8). "); CMS.getGeneralNamesConfigExtendedPluginInfo(null, true, info); @@ -102,60 +102,61 @@ public class IssuerAltNameExt extends APolicyRule implements IEnrollmentPolicy, /** * Initializes this policy rule. - * - * @param config The config store reference + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // get criticality mCritical = mConfig.getBoolean(PROP_CRITICAL, DEFAULT_CRITICALITY); // get enabled. - mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); // form general names. mGNs = CMS.createGeneralNamesConfig(null, config, true, mEnabled); // form extension try { - if (mEnabled && mGNs.getGeneralNames() != null - && !mGNs.getGeneralNames().isEmpty()) { - mExtension = new IssuerAlternativeNameExtension( - Boolean.valueOf(mCritical), mGNs.getGeneralNames()); + if (mEnabled && + mGNs.getGeneralNames() != null && !mGNs.getGeneralNames().isEmpty()) { + mExtension = + new IssuerAlternativeNameExtension( + Boolean.valueOf(mCritical), mGNs.getGeneralNames()); } } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); } // init instance params - mParams.addElement(PROP_CRITICAL + "=" + mCritical); + mParams.addElement(PROP_CRITICAL + "=" + mCritical); mGNs.getInstanceParams(mParams); return; } /** - * Adds a extension if none exists. - * - * @param req The request on which to apply policy. + * Adds a extension if none exists. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; - if (mEnabled == false || mExtension == null) + if (mEnabled == false || mExtension == null) return res; - // get cert info. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + // get cert info. + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); X509CertInfo certInfo = null; if (ci == null || (certInfo = ci[0]) == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -175,8 +176,8 @@ public class IssuerAltNameExt extends APolicyRule implements IEnrollmentPolicy, try { // get extension if any. - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); } catch (IOException e) { // no extensions. } catch (CertificateException e) { @@ -186,8 +187,8 @@ public class IssuerAltNameExt extends APolicyRule implements IEnrollmentPolicy, if (extensions == null) { extensions = new CertificateExtensions(); try { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (CertificateException e) { // not possible @@ -213,13 +214,11 @@ public class IssuerAltNameExt extends APolicyRule implements IEnrollmentPolicy, try { extensions.set(IssuerAlternativeNameExtension.NAME, mExtension); } catch (Exception e) { - if (e instanceof RuntimeException) + if (e instanceof RuntimeException) throw (RuntimeException) e; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CRL_CREATE_ISSUER_ALT_NAME_EXT", - e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR"), NAME); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CRL_CREATE_ISSUER_ALT_NAME_EXT", e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR"), NAME); return PolicyResult.REJECTED; } return PolicyResult.ACCEPTED; @@ -227,21 +226,21 @@ public class IssuerAltNameExt extends APolicyRule implements IEnrollmentPolicy, /** * Return configured parameters for a policy rule instance. - * + * * @return Empty Vector since this policy has no configuration parameters. - * for this policy instance. + * for this policy instance. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mParams; } /** * Return default parameters for a policy implementation. - * - * @return Empty Vector since this policy implementation has no - * configuration parameters. + * + * @return Empty Vector since this policy implementation has no + * configuration parameters. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return defaultParams; } @@ -250,3 +249,4 @@ public class IssuerAltNameExt extends APolicyRule implements IEnrollmentPolicy, } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java index b6311eaa..4f7a72c4 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/KeyUsageExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -43,24 +44,25 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Policy to add Key Usage Extension. Adds the key usage extension based on - * what's requested. + * Policy to add Key Usage Extension. + * Adds the key usage extension based on what's requested. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, - IExtendedPluginInfo { +public class KeyUsageExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { private final static String HTTP_INPUT = "HTTP_INPUT"; - protected static final boolean[] DEF_BITS = new boolean[KeyUsageExtension.NBITS]; + protected static final boolean[] DEF_BITS = + new boolean[KeyUsageExtension.NBITS]; protected int mCAPathLen = -1; protected IConfigStore mConfig = null; protected static final String PROP_CRITICAL = "critical"; @@ -95,35 +97,35 @@ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=KeyUsageExt - * ca.Policy.rule.<ruleName>.enable=true ca.Policy.rule.<ruleName>. - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=KeyUsageExt + * ca.Policy.rule.<ruleName>.enable=true + * ca.Policy.rule.<ruleName>. + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - ICertAuthority certAuthority = (ICertAuthority) ((IPolicyProcessor) owner) - .getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CANT_FIND_MANAGER")); - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Cannot find the Certificate Manager or Registration Manager")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Cannot find the Certificate Manager or Registration Manager")); } if (certAuthority instanceof ICertificateAuthority) { CertificateChain caChain = certAuthority.getCACertChain(); X509Certificate caCert = null; - // Note that in RA the chain could be null if CA was not up when - // RA was started. In that case just set the length to -1 and let - // CA reject if it does not allow any subordinate CA certs. + // Note that in RA the chain could be null if CA was not up when + // RA was started. In that case just set the length to -1 and let + // CA reject if it does not allow any subordinate CA certs. if (caChain != null) { caCert = caChain.getFirstCertificate(); mCAPathLen = caCert.getBasicConstraints(); @@ -131,12 +133,10 @@ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, } mCritical = mConfig.getBoolean(PROP_CRITICAL, true); - mDigitalSignature = mConfig.getString(PROP_DIGITAL_SIGNATURE, - HTTP_INPUT); + mDigitalSignature = mConfig.getString(PROP_DIGITAL_SIGNATURE, HTTP_INPUT); mNonRepudiation = mConfig.getString(PROP_NON_REPUDIATION, HTTP_INPUT); mKeyEncipherment = mConfig.getString(PROP_KEY_ENCIPHERMENT, HTTP_INPUT); - mDataEncipherment = mConfig.getString(PROP_DATA_ENCIPHERMENT, - HTTP_INPUT); + mDataEncipherment = mConfig.getString(PROP_DATA_ENCIPHERMENT, HTTP_INPUT); mKeyAgreement = mConfig.getString(PROP_KEY_AGREEMENT, HTTP_INPUT); mKeyCertsign = mConfig.getString(PROP_KEY_CERTSIGN, HTTP_INPUT); mCrlSign = mConfig.getString(PROP_CRL_SIGN, HTTP_INPUT); @@ -145,28 +145,30 @@ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, } /** - * Adds the key usage extension if not set already. (CRMF, agent, - * authentication (currently) or PKCS#10 (future) or RA could have set the - * extension.) If not set, set from http input parameters or use default if + * Adds the key usage extension if not set already. + * (CRMF, agent, authentication (currently) or PKCS#10 (future) + * or RA could have set the extension.) + * If not set, set from http input parameters or use default if * no http input parameters are set. * - * Note: this allows any bits requested - does not check if user - * authenticated is allowed to have a Key Usage Extension with those bits. - * Unless the CA's certificate path length is 0, then we do not allow CA - * sign or CRL sign bits in any request. + * Note: this allows any bits requested - does not check if user + * authenticated is allowed to have a Key Usage Extension with + * those bits. Unless the CA's certificate path length is 0, then + * we do not allow CA sign or CRL sign bits in any request. * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -181,30 +183,31 @@ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); KeyUsageExtension ext = null; if (extensions != null) { try { - ext = (KeyUsageExtension) extensions - .get(KeyUsageExtension.NAME); + ext = (KeyUsageExtension) + extensions.get(KeyUsageExtension.NAME); } catch (IOException e) { // extension isn't there. ext = null; } - // check if CA does not allow subordinate CA certs. + // check if CA does not allow subordinate CA certs. // otherwise accept existing key usage extension. if (ext != null) { if (mCAPathLen == 0) { boolean[] bits = ext.getBits(); - if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT && bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) - || (bits.length > KeyUsageExtension.CRL_SIGN_BIT && bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) { - setError( - req, - CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), - NAME); + if ((bits.length > KeyUsageExtension.KEY_CERTSIGN_BIT && + bits[KeyUsageExtension.KEY_CERTSIGN_BIT] == true) || + (bits.length > KeyUsageExtension.CRL_SIGN_BIT && + bits[KeyUsageExtension.CRL_SIGN_BIT] == true)) { + setError(req, + CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), + NAME); return PolicyResult.REJECTED; } } @@ -213,8 +216,8 @@ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, } else { // create extensions set if none. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } @@ -222,45 +225,41 @@ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, boolean[] bits = new boolean[KeyUsageExtension.NBITS]; - bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit( - "digital_signature", mDigitalSignature, req); - bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit( - "non_repudiation", mNonRepudiation, req); - bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit( - "key_encipherment", mKeyEncipherment, req); - bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit( - "data_encipherment", mDataEncipherment, req); - bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement", - mKeyAgreement, req); - bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign", - mKeyCertsign, req); - bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, - req); + bits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = getBit("digital_signature", + mDigitalSignature, req); + bits[KeyUsageExtension.NON_REPUDIATION_BIT] = getBit("non_repudiation", + mNonRepudiation, req); + bits[KeyUsageExtension.KEY_ENCIPHERMENT_BIT] = getBit("key_encipherment", + mKeyEncipherment, req); + bits[KeyUsageExtension.DATA_ENCIPHERMENT_BIT] = getBit("data_encipherment", + mDataEncipherment, req); + bits[KeyUsageExtension.KEY_AGREEMENT_BIT] = getBit("key_agreement", + mKeyAgreement, req); + bits[KeyUsageExtension.KEY_CERTSIGN_BIT] = getBit("key_certsign", + mKeyCertsign, req); + bits[KeyUsageExtension.CRL_SIGN_BIT] = getBit("crl_sign", mCrlSign, req); bits[KeyUsageExtension.ENCIPHER_ONLY_BIT] = getBit("encipher_only", - mEncipherOnly, req); - bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only", - mDecipherOnly, req); - - // don't allow no bits set or the extension does not + mEncipherOnly, req); + bits[KeyUsageExtension.DECIPHER_ONLY_BIT] = getBit("decipher_only", + mDecipherOnly, req); + + // don't allow no bits set or the extension does not // encode/decode properlly. boolean bitset = false; for (int i = 0; i < bits.length; i++) { if (bits[i]) { - bitset = true; + bitset = true; break; } } if (!bitset) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME)); - setError( - req, - CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"), - NAME); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET", NAME)); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_KEYUSAGE_EXTENSION_BITS_SET"), + NAME); return PolicyResult.REJECTED; } - + // create the extension. try { mKeyUsage = new KeyUsageExtension(mCritical, bits); @@ -269,28 +268,24 @@ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, extensions.set(KeyUsageExtension.NAME, mKeyUsage); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_CRITICAL + "=" + mCritical); @@ -322,42 +317,32 @@ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL - + ";boolean;RFC 2459 recommendation: SHOULD be critical", - PROP_DIGITAL_SIGNATURE - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_NON_REPUDIATION - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_KEY_ENCIPHERMENT - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_DATA_ENCIPHERMENT - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_KEY_AGREEMENT - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_KEY_CERTSIGN - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_CRL_SIGN - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_ENCIPHER_ONLY - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - PROP_DECIPHER_ONLY - + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-keyusage", - IExtendedPluginInfo.HELP_TEXT - + ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)" - - }; + PROP_CRITICAL + ";boolean;RFC 2459 recommendation: SHOULD be critical", + PROP_DIGITAL_SIGNATURE + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_NON_REPUDIATION + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_KEY_ENCIPHERMENT + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_DATA_ENCIPHERMENT + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_KEY_AGREEMENT + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_KEY_CERTSIGN + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_CRL_SIGN + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_ENCIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + PROP_DECIPHER_ONLY + ";choice(true,false,HTTP_INPUT);true means always set this bit, false means don't set this bit, HTTP_INPUT means get this bit from the HTTP input", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-keyusage", + IExtendedPluginInfo.HELP_TEXT + + ";Adds Key Usage Extension; See in RFC 2459 (4.2.1.3)" + + }; return params; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } @@ -370,3 +355,4 @@ public class KeyUsageExt extends APolicyRule implements IEnrollmentPolicy, return Boolean.valueOf(choice).booleanValue(); } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java index 752581f9..68f5d875 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCCommentExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.BufferedReader; import java.io.FileInputStream; import java.io.FileNotFoundException; @@ -44,20 +45,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Netscape comment Adds Netscape comment policy + * Netscape comment + * Adds Netscape comment policy * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, - IExtendedPluginInfo { +public class NSCCommentExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_USER_NOTICE_DISPLAY_TEXT = "displayText"; protected static final String PROP_COMMENT_FILE = "commentFile"; @@ -66,18 +68,19 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, protected static final String TEXT = "Text"; protected static final String FILE = "File"; - protected String mUserNoticeDisplayText; - protected String mCommentFile; - protected String mInputType; + protected String mUserNoticeDisplayText; + protected String mCommentFile; + protected String mInputType; protected boolean mCritical; private Vector mParams = new Vector(); - protected String tempCommentFile; + protected String tempCommentFile; protected boolean certApplied = false; /** - * Adds the Netscape comment in the end-entity certificates or CA - * certificates. The policy is set to be non-critical with the provided OID. + * Adds the Netscape comment in the end-entity certificates or + * CA certificates. The policy is set to be non-critical with the + * provided OID. */ public NSCCommentExt() { NAME = "NSCCommentExt"; @@ -88,16 +91,16 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, * Initializes this policy rule. * <p> * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.implName=NSCCommentExtImpl - * ca.Policy.rule.<ruleName>.displayText=<n> - * ca.Policy.rule.<ruleName>.commentFile=<n> - * ca.Policy.rule.<ruleName>.enable=false - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.implName=NSCCommentExtImpl + * ca.Policy.rule.<ruleName>.displayText=<n> + * ca.Policy.rule.<ruleName>.commentFile=<n> + * ca.Policy.rule.<ruleName>.enable=false + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { FileInputStream fileStream = null; @@ -108,10 +111,8 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, mInputType = config.getString(PROP_INPUT_TYPE, null); mParams.addElement(PROP_INPUT_TYPE + "=" + mInputType); - mUserNoticeDisplayText = config.getString( - PROP_USER_NOTICE_DISPLAY_TEXT, ""); - mParams.addElement(PROP_USER_NOTICE_DISPLAY_TEXT + "=" - + mUserNoticeDisplayText); + mUserNoticeDisplayText = config.getString(PROP_USER_NOTICE_DISPLAY_TEXT, ""); + mParams.addElement(PROP_USER_NOTICE_DISPLAY_TEXT + "=" + mUserNoticeDisplayText); tempCommentFile = config.getString(PROP_COMMENT_FILE, ""); @@ -137,33 +138,29 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, mParams.addElement(PROP_COMMENT_FILE + "=" + mCommentFile); } catch (FileNotFoundException e) { - Object[] params = { getInstanceName(), - "File not found : " + tempCommentFile }; + Object[] params = {getInstanceName(), "File not found : " + tempCommentFile}; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), - params); + throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params); } catch (Exception e) { - Object[] params = { getInstanceName(), e.getMessage() }; + Object[] params = {getInstanceName(), e.getMessage()}; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), - params); + throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params); } } /** * Applies the policy on the given Request. * <p> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -185,8 +182,8 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, CertificateExtensions extensions = null; try { - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); } catch (IOException e) { } catch (CertificateException e) { } @@ -194,8 +191,8 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, if (extensions == null) { extensions = new CertificateExtensions(); try { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } catch (Exception e) { } @@ -203,10 +200,10 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, // remove any previously computed version of the extension try { extensions.delete(NSCCommentExtension.NAME); - + } catch (IOException e) { // this is the hack: for some reason, the key which is the name - // of the policy has been converted into the OID + // of the policy has been converted into the OID try { extensions.delete("2.16.840.1.113730.1.13"); } catch (IOException ee) { @@ -214,12 +211,10 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, } } if (mInputType.equals("File")) { - // if ((mUserNoticeDisplayText.equals("")) && - // !(mCommentFile.equals(""))) { + // if ((mUserNoticeDisplayText.equals("")) && !(mCommentFile.equals(""))) { try { // Read the comments file - BufferedReader fis = new BufferedReader(new FileReader( - mCommentFile)); + BufferedReader fis = new BufferedReader(new FileReader(mCommentFile)); String line = null; StringBuffer buffer = new StringBuffer(); @@ -229,13 +224,10 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, mUserNoticeDisplayText = new String(buffer); fis.close(); } catch (IOException e) { - setError( - req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, " Comment Text file not found : " + mCommentFile); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, " Comment Text file not found : " + mCommentFile); log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_COMMENT_FILE_NOT_FOUND", - e.toString())); + CMS.getLogMessage("POLICY_COMMENT_FILE_NOT_FOUND", e.toString())); return PolicyResult.REJECTED; } @@ -243,22 +235,20 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, } certApplied = true; - - DisplayText displayText = new DisplayText(DisplayText.tag_IA5String, - mUserNoticeDisplayText); + + DisplayText displayText = + new DisplayText(DisplayText.tag_IA5String, mUserNoticeDisplayText); try { - NSCCommentExtension cpExt = new NSCCommentExtension(mCritical, - mUserNoticeDisplayText); + NSCCommentExtension cpExt = + new NSCCommentExtension(mCritical, mUserNoticeDisplayText); extensions.set(NSCCommentExtension.NAME, cpExt); } catch (Exception e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME)); - setError( - req, - CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), - NAME); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_CERTIFICATE_POLICIES_1", NAME)); + setError(req, + CMS.getUserMessage("CMS_POLICY_CERTIFICATE_POLICIES_ERROR"), NAME); return PolicyResult.REJECTED; } return PolicyResult.ACCEPTED; @@ -266,22 +256,19 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL - + ";boolean;Netscape recommendation: non-critical.", - PROP_INPUT_TYPE - + ";choice(Text,File);Whether the comments " - + "would be entered in the displayText field or come from " - + "a file.", - PROP_USER_NOTICE_DISPLAY_TEXT - + ";string;The comment that may be " - + "displayed to the user when the certificate is viewed.", - PROP_COMMENT_FILE - + ";string; If data source is 'File', specify " - + "the file name with full path.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-nsccomment", - IExtendedPluginInfo.HELP_TEXT - + ";Adds 'netscape comment' extension. See manual" }; + PROP_CRITICAL + ";boolean;Netscape recommendation: non-critical.", + PROP_INPUT_TYPE + ";choice(Text,File);Whether the comments " + + "would be entered in the displayText field or come from " + + "a file.", + PROP_USER_NOTICE_DISPLAY_TEXT + ";string;The comment that may be " + + "displayed to the user when the certificate is viewed.", + PROP_COMMENT_FILE + ";string; If data source is 'File', specify " + + "the file name with full path.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-nsccomment", + IExtendedPluginInfo.HELP_TEXT + + ";Adds 'netscape comment' extension. See manual" + }; return params; @@ -289,19 +276,19 @@ public class NSCCommentExt extends APolicyRule implements IEnrollmentPolicy, /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_CRITICAL + "=false"); diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java index f920b47b..2ececcf9 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/NSCertTypeExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -45,44 +46,45 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * NS Cert Type policy. Adds the ns cert type extension depending on cert type - * requested. + * NS Cert Type policy. + * Adds the ns cert type extension depending on cert type requested. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, - IExtendedPluginInfo { +public class NSCertTypeExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_SET_DEFAULT_BITS = "setDefaultBits"; protected static final boolean DEF_SET_DEFAULT_BITS = true; - protected static final String DEF_SET_DEFAULT_BITS_VAL = Boolean.valueOf( - DEF_SET_DEFAULT_BITS).toString(); + protected static final String DEF_SET_DEFAULT_BITS_VAL = + Boolean.valueOf(DEF_SET_DEFAULT_BITS).toString(); protected static final int DEF_PATHLEN = -1; - protected static final boolean[] DEF_BITS = new boolean[NSCertTypeExtension.NBITS]; + protected static final boolean[] DEF_BITS = + new boolean[NSCertTypeExtension.NBITS]; - // XXX for future use. currenlty always allow. + // XXX for future use. currenlty always allow. protected static final String PROP_AGENT_OVERR = "allowAgentOverride"; protected static final String PROP_EE_OVERR = "AllowEEOverride"; - // XXX for future use. currently always critical - // (standard says SHOULD be marked critical if included.) + // XXX for future use. currently always critical + // (standard says SHOULD be marked critical if included.) protected static final String PROP_CRITICAL = "critical"; - // XXX for future use to allow overrides from forms. + // XXX for future use to allow overrides from forms. // request must be agent approved or authenticated. protected boolean mAllowAgentOverride = false; protected boolean mAllowEEOverride = false; - // XXX for future use. currently always non-critical + // XXX for future use. currently always non-critical protected boolean mCritical = false; protected int mCAPathLen = -1; @@ -110,25 +112,25 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=nsCertTypeExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=nsCertTypeExt + * ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // XXX future use. - // mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false); - // mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false); + //mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false); + //mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false); mCritical = config.getBoolean(PROP_CRITICAL, false); - ICertAuthority certAuthority = (ICertAuthority) ((IPolicyProcessor) owner) - .getAuthority(); + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor) owner).getAuthority(); if (certAuthority instanceof ICertificateAuthority) { CertificateChain caChain = certAuthority.getCACertChain(); @@ -139,34 +141,35 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, // CA reject if it does not allow any subordinate CA certs. if (caChain != null) { caCert = caChain.getFirstCertificate(); - if (caCert != null) + if (caCert != null) mCAPathLen = caCert.getBasicConstraints(); } } - mSetDefaultBits = mConfig.getBoolean(PROP_SET_DEFAULT_BITS, - DEF_SET_DEFAULT_BITS); + mSetDefaultBits = mConfig.getBoolean( + PROP_SET_DEFAULT_BITS, DEF_SET_DEFAULT_BITS); } /** - * Adds the ns cert type if not set already. reads ns cert type choices from - * form. If no choices from form will defaults to all. + * Adds the ns cert type if not set already. + * reads ns cert type choices from form. If no choices from form + * will defaults to all. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { - CMS.debug("NSCertTypeExt: Impl: " + NAME + ", Instance: " - + getInstanceName() + "::apply()"); + CMS.debug("NSCertTypeExt: Impl: " + NAME + ", Instance: " + getInstanceName() + "::apply()"); PolicyResult res = PolicyResult.ACCEPTED; - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo = null; if (ci == null || (certInfo = ci[0]) == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -181,29 +184,30 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { try { - String certType = req.getExtDataInString(IRequest.HTTP_PARAMS, - IRequest.CERT_TYPE); - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + String certType = + req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); NSCertTypeExtension nsCertTypeExt = null; if (extensions != null) { // See if extension is already set and contains correct values. try { - nsCertTypeExt = (NSCertTypeExtension) extensions - .get(NSCertTypeExtension.NAME); + nsCertTypeExt = (NSCertTypeExtension) + extensions.get(NSCertTypeExtension.NAME); } catch (IOException e) { // extension isn't there. nsCertTypeExt = null; } // XXX agent servlet currently sets this. it should be // delayed to here. - if (nsCertTypeExt != null - && extensionIsGood(nsCertTypeExt, req)) { - CMS.debug("NSCertTypeExt: already has correct ns cert type ext"); + if (nsCertTypeExt != null && + extensionIsGood(nsCertTypeExt, req)) { + CMS.debug( + "NSCertTypeExt: already has correct ns cert type ext"); return PolicyResult.ACCEPTED; - } else if ((nsCertTypeExt != null) - && (certType.equals("ocspResponder"))) { + } else if ((nsCertTypeExt != null) && + (certType.equals("ocspResponder"))) { // Fix for #528732 : Always delete // this extension from OCSP signing cert extensions.delete(NSCertTypeExtension.NAME); @@ -212,11 +216,12 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, } else { // create extensions set if none. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); - CMS.debug("NSCertTypeExt: Created extensions for adding ns cert type.."); + CMS.debug( + "NSCertTypeExt: Created extensions for adding ns cert type.."); } } // add ns cert type extension if not set or not set correctly. @@ -224,15 +229,13 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, bits = getBitsFromRequest(req, mSetDefaultBits); - // check if ca doesn't allow any subordinate ca - if (mCAPathLen == 0 && bits != null) { - if (bits[NSCertTypeExtension.SSL_CA_BIT] - || bits[NSCertTypeExtension.EMAIL_CA_BIT] - || bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT]) { - setError( - req, - CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), - NAME); + // check if ca doesn't allow any subordinate ca + if (mCAPathLen == 0 && bits != null) { + if (bits[NSCertTypeExtension.SSL_CA_BIT] || + bits[NSCertTypeExtension.EMAIL_CA_BIT] || + bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT]) { + setError(req, + CMS.getUserMessage("CMS_POLICY_NO_SUB_CA_CERTS_ALLOWED"), NAME); return PolicyResult.REJECTED; } } @@ -246,11 +249,11 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, int j; for (j = 0; bits != null && j < bits.length; j++) - if (bits[j]) - break; + if (bits[j]) break; if (bits == null || j == bits.length) { if (!mSetDefaultBits) { - CMS.debug("NSCertTypeExt: no bits requested, not setting default."); + CMS.debug( + "NSCertTypeExt: no bits requested, not setting default."); return PolicyResult.ACCEPTED; } else bits = DEF_BITS; @@ -260,40 +263,39 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, extensions.set(NSCertTypeExtension.NAME, nsCertTypeExt); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** - * check if ns cert type extension is set correctly, correct bits if not. if - * not authorized to set extension, bits will be replaced. + * check if ns cert type extension is set correctly, + * correct bits if not. + * if not authorized to set extension, bits will be replaced. */ - protected boolean extensionIsGood(NSCertTypeExtension nsCertTypeExt, - IRequest req) throws IOException, CertificateException { + protected boolean extensionIsGood( + NSCertTypeExtension nsCertTypeExt, IRequest req) + throws IOException, CertificateException { // always return false for now to make sure minimum is set. // agents and ee can add others. - // must be agent approved or authenticated for allowing extensions + // must be agent approved or authenticated for allowing extensions // which is always the case if we get to this point. IAuthToken token = req.getExtDataInAuthToken(IRequest.AUTH_TOKEN); if (!agentApproved(req) && token == null) { // don't know where this came from. // set all bits to false to reset. - CMS.debug("NSCertTypeExt: unknown origin: setting ns cert type bits to false"); + CMS.debug( + "NSCertTypeExt: unknown origin: setting ns cert type bits to false"); boolean[] bits = new boolean[8]; for (int i = bits.length - 1; i >= 0; i--) { @@ -313,37 +315,37 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, return true; } if (certType.equals(IRequest.CA_CERT)) { - if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CA_BIT) - && !nsCertTypeExt - .isSet(NSCertTypeExtension.EMAIL_CA_BIT) - && !nsCertTypeExt - .isSet(NSCertTypeExtension.OBJECT_SIGNING_CA_BIT)) { + if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CA_BIT) && + !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_CA_BIT) && + !nsCertTypeExt.isSet( + NSCertTypeExtension.OBJECT_SIGNING_CA_BIT)) { // min not set so set all. - CMS.debug("NSCertTypeExt: is extension good: no ca bits set. set all"); + CMS.debug( + "NSCertTypeExt: is extension good: no ca bits set. set all"); - nsCertTypeExt.set(NSCertTypeExtension.SSL_CA, - Boolean.valueOf(true)); + nsCertTypeExt.set(NSCertTypeExtension.SSL_CA, + Boolean.valueOf(true)); nsCertTypeExt.set(NSCertTypeExtension.EMAIL_CA, - Boolean.valueOf(true)); + Boolean.valueOf(true)); nsCertTypeExt.set(NSCertTypeExtension.OBJECT_SIGNING_CA, - Boolean.valueOf(true)); + Boolean.valueOf(true)); } return true; } else if (certType.equals(IRequest.CLIENT_CERT)) { - if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CLIENT_BIT) - && !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_BIT) - && !nsCertTypeExt - .isSet(NSCertTypeExtension.SSL_SERVER_BIT) - && !nsCertTypeExt - .isSet(NSCertTypeExtension.OBJECT_SIGNING_BIT)) { + if (!nsCertTypeExt.isSet(NSCertTypeExtension.SSL_CLIENT_BIT) && + !nsCertTypeExt.isSet(NSCertTypeExtension.EMAIL_BIT) && + !nsCertTypeExt.isSet(NSCertTypeExtension.SSL_SERVER_BIT) && + !nsCertTypeExt.isSet( + NSCertTypeExtension.OBJECT_SIGNING_BIT)) { // min not set so set all. - CMS.debug("NSCertTypeExt: is extension good: no cl bits set. set all"); - nsCertTypeExt.set(NSCertTypeExtension.SSL_CLIENT, - new Boolean(true)); - nsCertTypeExt.set(NSCertTypeExtension.EMAIL, new Boolean( - true)); + CMS.debug( + "NSCertTypeExt: is extension good: no cl bits set. set all"); + nsCertTypeExt.set(NSCertTypeExtension.SSL_CLIENT, + new Boolean(true)); + nsCertTypeExt.set(NSCertTypeExtension.EMAIL, + new Boolean(true)); nsCertTypeExt.set(NSCertTypeExtension.OBJECT_SIGNING, - new Boolean(true)); + new Boolean(true)); } return true; } else if (certType.equals(IRequest.SERVER_CERT)) { @@ -356,13 +358,14 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, } /** - * Gets ns cert type bits from request. If none set, use cert type to - * determine correct bits. If no cert type, use default. - */ + * Gets ns cert type bits from request. + * If none set, use cert type to determine correct bits. + * If no cert type, use default. + */ protected boolean[] getBitsFromRequest(IRequest req, boolean setDefault) { boolean[] bits = null; - + CMS.debug("NSCertTypeExt: ns cert type getting ns cert type vars"); bits = getNSCertTypeBits(req); if (bits == null && setDefault) { @@ -385,31 +388,34 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, boolean[] bits = new boolean[NSCertTypeExtension.NBITS]; bits[NSCertTypeExtension.SSL_CLIENT_BIT] = - // XXX should change this to is ns cert type ssl_client defn. - req.getExtDataInBoolean(IRequest.HTTP_PARAMS, - NSCertTypeExtension.SSL_CLIENT, false); + // XXX should change this to is ns cert type ssl_client defn. + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.SSL_CLIENT, false); - bits[NSCertTypeExtension.SSL_SERVER_BIT] = req.getExtDataInBoolean( - IRequest.HTTP_PARAMS, NSCertTypeExtension.SSL_SERVER, false); + bits[NSCertTypeExtension.SSL_SERVER_BIT] = + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.SSL_SERVER, false); bits[NSCertTypeExtension.EMAIL_BIT] = - // XXX should change this to is ns cert type ssl_client defn. - req.getExtDataInBoolean(IRequest.HTTP_PARAMS, - NSCertTypeExtension.EMAIL, false); + // XXX should change this to is ns cert type ssl_client defn. + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.EMAIL, false); bits[NSCertTypeExtension.OBJECT_SIGNING_BIT] = - // XXX should change this to is ns cert type ssl_client defn. - req.getExtDataInBoolean(IRequest.HTTP_PARAMS, - NSCertTypeExtension.OBJECT_SIGNING, false); + // XXX should change this to is ns cert type ssl_client defn. + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.OBJECT_SIGNING, false); - bits[NSCertTypeExtension.SSL_CA_BIT] = req.getExtDataInBoolean( - IRequest.HTTP_PARAMS, NSCertTypeExtension.SSL_CA, false); + bits[NSCertTypeExtension.SSL_CA_BIT] = + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.SSL_CA, false); - bits[NSCertTypeExtension.EMAIL_CA_BIT] = req.getExtDataInBoolean( - IRequest.HTTP_PARAMS, NSCertTypeExtension.EMAIL_CA, false); + bits[NSCertTypeExtension.EMAIL_CA_BIT] = + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, + NSCertTypeExtension.EMAIL_CA, false); - bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT] = req - .getExtDataInBoolean(IRequest.HTTP_PARAMS, + bits[NSCertTypeExtension.OBJECT_SIGNING_CA_BIT] = + req.getExtDataInBoolean(IRequest.HTTP_PARAMS, NSCertTypeExtension.OBJECT_SIGNING_CA, false); // if nothing set, return null. @@ -433,24 +439,24 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, * get cert type bits according to cert type. */ protected boolean[] getCertTypeBits(IRequest req) { - String certType = req.getExtDataInString(IRequest.HTTP_PARAMS, - IRequest.CERT_TYPE); + String certType = + req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); - if (certType == null || certType.length() == 0) + if (certType == null || certType.length() == 0) return null; boolean[] bits = new boolean[KeyUsageExtension.NBITS]; - for (int i = bits.length - 1; i >= 0; i--) + for (int i = bits.length - 1; i >= 0; i--) bits[i] = false; if (certType.equals(IRequest.CLIENT_CERT)) { CMS.debug("NSCertTypeExt: setting bits for client cert"); - // we can only guess here when it's client. + // we can only guess here when it's client. // sets all client bit for default. bits[NSCertTypeExtension.SSL_CLIENT_BIT] = true; bits[NSCertTypeExtension.EMAIL_BIT] = true; - // bits[NSCertTypeExtension.OBJECT_SIGNING_BIT] = true; + //bits[NSCertTypeExtension.OBJECT_SIGNING_BIT] = true; } else if (certType.equals(IRequest.SERVER_CERT)) { CMS.debug("NSCertTypeExt: setting bits for server cert"); bits[NSCertTypeExtension.SSL_SERVER_BIT] = true; @@ -471,8 +477,9 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, } /** - * merge bits with those set from form. make sure required minimum is set. - * Agent or auth can set others. XXX form shouldn't set the extension + * merge bits with those set from form. + * make sure required minimum is set. Agent or auth can set others. + * XXX form shouldn't set the extension */ public void mergeBits(NSCertTypeExtension nsCertTypeExt, boolean[] bits) { for (int i = bits.length - 1; i >= 0; i--) { @@ -485,47 +492,49 @@ public class NSCertTypeExt extends APolicyRule implements IEnrollmentPolicy, /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_CRITICAL + "=" + mCritical); params.addElement(PROP_SET_DEFAULT_BITS + "=" + mSetDefaultBits); - // new Boolean(mSetDefaultBits).toString()); + //new Boolean(mSetDefaultBits).toString()); return params; } private static Vector mDefParams = new Vector(); static { - mDefParams.addElement(PROP_CRITICAL + "=false"); - mDefParams.addElement(PROP_SET_DEFAULT_BITS + "=" - + DEF_SET_DEFAULT_BITS); + mDefParams.addElement( + PROP_CRITICAL + "=false"); + mDefParams.addElement( + PROP_SET_DEFAULT_BITS + "=" + DEF_SET_DEFAULT_BITS); } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL - + ";boolean;Netscape recommendation: non-critical.", - PROP_SET_DEFAULT_BITS - + ";boolean;Specify whether to set the Netscape certificate " - + "type extension with default bits ('ssl client' and 'email') in certificates " - + "specified by the predicate " + "expression.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-nscerttype", - IExtendedPluginInfo.HELP_TEXT - + ";Adds Netscape Certificate Type extension." }; + PROP_CRITICAL + ";boolean;Netscape recommendation: non-critical.", + PROP_SET_DEFAULT_BITS + ";boolean;Specify whether to set the Netscape certificate " + + "type extension with default bits ('ssl client' and 'email') in certificates " + + "specified by the predicate " + + "expression.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-nscerttype", + IExtendedPluginInfo.HELP_TEXT + + ";Adds Netscape Certificate Type extension." + }; return params; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java index fa3183ed..35106de4 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/NameConstraintsExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -42,21 +43,22 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Name Constraints Extension Policy Adds the name constraints extension to a - * (CA) certificate. Filtering of CA certificates is done through predicates. + * Name Constraints Extension Policy + * Adds the name constraints extension to a (CA) certificate. + * Filtering of CA certificates is done through predicates. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class NameConstraintsExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class NameConstraintsExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_NUM_PERMITTEDSUBTREES = "numPermittedSubtrees"; protected static final String PROP_NUM_EXCLUDEDSUBTREES = "numExcludedSubtrees"; @@ -88,62 +90,69 @@ public class NameConstraintsExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate=certType==ca - * ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate=certType==ca + * ca.Policy.rule.<ruleName>.implName= + * ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - // XXX should do do this ? - // if CA does not allow subordinate CAs by way of basic constraints, - // this policy always rejects + // XXX should do do this ? + // if CA does not allow subordinate CAs by way of basic constraints, + // this policy always rejects /***** - * ICertAuthority certAuthority = (ICertAuthority) - * ((IPolicyProcessor)owner).getAuthority(); if (certAuthority - * instanceof ICertificateAuthority) { CertificateChain caChain = - * certAuthority.getCACertChain(); X509Certificate caCert = null; // - * Note that in RA the chain could be null if CA was not up when // RA - * was started. In that case just set the length to -1 and let // CA - * reject if it does not allow any subordinate CA certs. if (caChain != - * null) { caCert = caChain.getFirstCertificate(); if (caCert != null) - * mCAPathLen = caCert.getBasicConstraints(); } } + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor)owner).getAuthority(); + if (certAuthority instanceof ICertificateAuthority) { + CertificateChain caChain = certAuthority.getCACertChain(); + X509Certificate caCert = null; + // Note that in RA the chain could be null if CA was not up when + // RA was started. In that case just set the length to -1 and let + // CA reject if it does not allow any subordinate CA certs. + if (caChain != null) { + caCert = caChain.getFirstCertificate(); + if (caCert != null) + mCAPathLen = caCert.getBasicConstraints(); + } + } ****/ - mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); - mNumPermittedSubtrees = mConfig.getInteger(PROP_NUM_PERMITTEDSUBTREES, - DEF_NUM_PERMITTEDSUBTREES); - mNumExcludedSubtrees = mConfig.getInteger(PROP_NUM_EXCLUDEDSUBTREES, - DEF_NUM_EXCLUDEDSUBTREES); + mNumPermittedSubtrees = mConfig.getInteger( + PROP_NUM_PERMITTEDSUBTREES, DEF_NUM_PERMITTEDSUBTREES); + mNumExcludedSubtrees = mConfig.getInteger( + PROP_NUM_EXCLUDEDSUBTREES, DEF_NUM_EXCLUDEDSUBTREES); if (mNumPermittedSubtrees < 0) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", PROP_NUM_PERMITTEDSUBTREES, - "value must be greater than or equal to 0")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_NUM_PERMITTEDSUBTREES, + "value must be greater than or equal to 0")); } if (mNumExcludedSubtrees < 0) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", PROP_NUM_EXCLUDEDSUBTREES, - "value must be greater than or equal to 0")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_NUM_EXCLUDEDSUBTREES, + "value must be greater than or equal to 0")); } // init permitted subtrees if any. if (mNumPermittedSubtrees > 0) { - mPermittedSubtrees = form_subtrees(PROP_PERMITTEDSUBTREES, - mNumPermittedSubtrees); + mPermittedSubtrees = + form_subtrees(PROP_PERMITTEDSUBTREES, mNumPermittedSubtrees); CMS.debug("NameConstraintsExt: formed permitted subtrees"); } // init excluded subtrees if any. if (mNumExcludedSubtrees > 0) { - mExcludedSubtrees = form_subtrees(PROP_EXCLUDEDSUBTREES, - mNumExcludedSubtrees); + mExcludedSubtrees = + form_subtrees(PROP_EXCLUDEDSUBTREES, mNumExcludedSubtrees); CMS.debug("NameConstraintsExt: formed excluded subtrees"); } @@ -153,14 +162,14 @@ public class NameConstraintsExt extends APolicyRule implements Vector permittedSubtrees = new Vector(); for (int i = 0; i < mNumPermittedSubtrees; i++) { - permittedSubtrees - .addElement(mPermittedSubtrees[i].mGeneralSubtree); + permittedSubtrees.addElement( + mPermittedSubtrees[i].mGeneralSubtree); } Vector excludedSubtrees = new Vector(); for (int j = 0; j < mNumExcludedSubtrees; j++) { - excludedSubtrees - .addElement(mExcludedSubtrees[j].mGeneralSubtree); + excludedSubtrees.addElement( + mExcludedSubtrees[j].mGeneralSubtree); } GeneralSubtrees psb = null; @@ -172,41 +181,44 @@ public class NameConstraintsExt extends APolicyRule implements if (excludedSubtrees.size() > 0) { esb = new GeneralSubtrees(excludedSubtrees); } - mNameConstraintsExtension = new NameConstraintsExtension( - mCritical, psb, esb); - CMS.debug("NameConstraintsExt: formed Name Constraints Extension " - + mNameConstraintsExtension); + mNameConstraintsExtension = + new NameConstraintsExtension(mCritical, + psb, + esb); + CMS.debug("NameConstraintsExt: formed Name Constraints Extension " + + mNameConstraintsExtension); } catch (IOException e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", - "Error initializing Name Constraints Extension: " + e)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Error initializing Name Constraints Extension: " + e)); } } - // form instance params + // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement(PROP_NUM_PERMITTEDSUBTREES + "=" - + mNumPermittedSubtrees); - mInstanceParams.addElement(PROP_NUM_EXCLUDEDSUBTREES + "=" - + mNumExcludedSubtrees); + mInstanceParams.addElement( + PROP_NUM_PERMITTEDSUBTREES + "=" + mNumPermittedSubtrees); + mInstanceParams.addElement( + PROP_NUM_EXCLUDEDSUBTREES + "=" + mNumExcludedSubtrees); if (mNumPermittedSubtrees > 0) { - for (int i = 0; i < mPermittedSubtrees.length; i++) + for (int i = 0; i < mPermittedSubtrees.length; i++) mPermittedSubtrees[i].getInstanceParams(mInstanceParams); } if (mNumExcludedSubtrees > 0) { - for (int j = 0; j < mExcludedSubtrees.length; j++) + for (int j = 0; j < mExcludedSubtrees.length; j++) mExcludedSubtrees[j].getInstanceParams(mInstanceParams); } } - Subtree[] form_subtrees(String subtreesName, int numSubtrees) - throws EBaseException { + Subtree[] form_subtrees(String subtreesName, int numSubtrees) + throws EBaseException { Subtree[] subtrees = new Subtree[numSubtrees]; for (int i = 0; i < numSubtrees; i++) { String subtreeName = subtreesName + i; IConfigStore subtreeConfig = mConfig.getSubStore(subtreeName); - Subtree subtree = new Subtree(subtreeName, subtreeConfig, mEnabled); + Subtree subtree = + new Subtree(subtreeName, subtreeConfig, mEnabled); subtrees[i] = subtree; } @@ -216,27 +228,28 @@ public class NameConstraintsExt extends APolicyRule implements /** * Adds Name Constraints Extension to a (CA) certificate. * - * If a Name constraints Extension is already there, accept it if it's been - * approved by agent, else replace it. - * - * @param req The request on which to apply policy. + * If a Name constraints Extension is already there, accept it if + * it's been approved by agent, else replace it. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { - // if extension hasn't been properly configured reject requests until + // if extension hasn't been properly configured reject requests until // it has been resolved (or disabled). if (mNameConstraintsExtension == null) { - // setError(req, PolicyResources.EXTENSION_NOT_INITED_1, NAME); - // return PolicyResult.REJECTED; + //setError(req, PolicyResources.EXTENSION_NOT_INITED_1, NAME); + //return PolicyResult.REJECTED; return PolicyResult.ACCEPTED; } // get certInfo from request. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -255,82 +268,80 @@ public class NameConstraintsExt extends APolicyRule implements // else ignore. try { NameConstraintsExtension nameConstraintsExt = null; - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { - nameConstraintsExt = (NameConstraintsExtension) extensions - .get(NameConstraintsExtension.NAME); + nameConstraintsExt = (NameConstraintsExtension) + extensions.get(NameConstraintsExtension.NAME); } } catch (IOException e) { - // extension isn't there. + // extension isn't there. } if (nameConstraintsExt != null) { if (agentApproved(req)) { - CMS.debug("NameConstraintsExt: request id from agent " - + req.getRequestId() - + " already has name constraints - accepted"); + CMS.debug( + "NameConstraintsExt: request id from agent " + req.getRequestId() + + " already has name constraints - accepted"); return PolicyResult.ACCEPTED; } else { - CMS.debug("NameConstraintsExt: request id " - + req.getRequestId() + " from user " - + " already has name constraints - deleted"); + CMS.debug( + "NameConstraintsExt: request id " + req.getRequestId() + " from user " + + " already has name constraints - deleted"); extensions.delete(NameConstraintsExtension.NAME); } } if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } - extensions.set(NameConstraintsExtension.NAME, - mNameConstraintsExtension); - CMS.debug("NameConstraintsExt: added Name Constraints Extension to request " - + req.getRequestId()); + extensions.set( + NameConstraintsExtension.NAME, mNameConstraintsExtension); + CMS.debug( + "NameConstraintsExt: added Name Constraints Extension to request " + + req.getRequestId()); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_NAME_CONST_EXTENSION", - e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_NAME_CONST_EXTENSION", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** - * Default config parameters. To add more permitted or excluded subtrees, - * increase the num to greater than 0 and more configuration params will - * show up in the console. + * Default config parameters. + * To add more permitted or excluded subtrees, + * increase the num to greater than 0 and more configuration params + * will show up in the console. */ private static Vector mDefParams = new Vector(); static { mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefParams.addElement(PROP_NUM_PERMITTEDSUBTREES + "=" - + DEF_NUM_PERMITTEDSUBTREES); - mDefParams.addElement(PROP_NUM_EXCLUDEDSUBTREES + "=" - + DEF_NUM_EXCLUDEDSUBTREES); + mDefParams.addElement( + PROP_NUM_PERMITTEDSUBTREES + "=" + DEF_NUM_PERMITTEDSUBTREES); + mDefParams.addElement( + PROP_NUM_EXCLUDEDSUBTREES + "=" + DEF_NUM_EXCLUDEDSUBTREES); for (int k = 0; k < DEF_NUM_PERMITTEDSUBTREES; k++) { Subtree.getDefaultParams(PROP_PERMITTEDSUBTREES + k, mDefParams); } @@ -341,22 +352,21 @@ public class NameConstraintsExt extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } public String[] getExtendedPluginInfo(Locale locale) { Vector theparams = new Vector(); - theparams.addElement(PROP_CRITICAL - + ";boolean;RFC 2459 recommendation: MUST be critical."); - theparams.addElement(PROP_NUM_PERMITTEDSUBTREES - + ";number;See RFC 2459 sec 4.2.1.11"); - theparams.addElement(PROP_NUM_EXCLUDEDSUBTREES - + ";number;See RFC 2459 sec 4.2.1.11"); + theparams.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST be critical."); + theparams.addElement( + PROP_NUM_PERMITTEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11"); + theparams.addElement( + PROP_NUM_EXCLUDEDSUBTREES + ";number;See RFC 2459 sec 4.2.1.11"); // now do the subtrees. for (int k = 0; k < DEF_NUM_PERMITTEDSUBTREES; k++) { @@ -365,10 +375,10 @@ public class NameConstraintsExt extends APolicyRule implements for (int l = 0; l < DEF_NUM_EXCLUDEDSUBTREES; l++) { Subtree.getExtendedPluginInfo(PROP_EXCLUDEDSUBTREES + l, theparams); } - theparams.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-nameconstraints"); - theparams.addElement(IExtendedPluginInfo.HELP_TEXT - + ";Adds Name Constraints Extension. See RFC 2459"); + theparams.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-nameconstraints"); + theparams.addElement(IExtendedPluginInfo.HELP_TEXT + + ";Adds Name Constraints Extension. See RFC 2459"); String[] info = new String[theparams.size()]; @@ -377,8 +387,9 @@ public class NameConstraintsExt extends APolicyRule implements } } + /** - * subtree configuration + * subtree configuration */ class Subtree { @@ -389,7 +400,8 @@ class Subtree { protected static final int DEF_MIN = 0; protected static final int DEF_MAX = -1; // -1 (less than 0) means not set. - protected static final String MINMAX_INFO = "number;See RFC 2459 section 4.2.1.11"; + protected static final String + MINMAX_INFO = "number;See RFC 2459 section 4.2.1.11"; String mName = null; IConfigStore mConfig = null; @@ -401,13 +413,14 @@ class Subtree { String mNameDotMin = null; String mNameDotMax = null; - public Subtree(String subtreeName, IConfigStore config, - boolean policyEnabled) throws EBaseException { + public Subtree( + String subtreeName, IConfigStore config, boolean policyEnabled) + throws EBaseException { mName = subtreeName; mConfig = config; if (mName != null) { - mNameDot = mName + "."; + mNameDot = mName + "."; mNameDotMin = mNameDot + PROP_MIN; mNameDotMax = mNameDot + PROP_MAX; } else { @@ -426,14 +439,14 @@ class Subtree { // if policy enabled get values to form the general subtree. mMin = mConfig.getInteger(PROP_MIN, DEF_MIN); mMax = mConfig.getInteger(PROP_MAX, DEF_MAX); - if (mMax < -1) - mMax = -1; - mBase = CMS.createGeneralNameAsConstraintsConfig(mNameDot + PROP_BASE, - mConfig.getSubStore(PROP_BASE), true, policyEnabled); + if (mMax < -1) mMax = -1; + mBase = CMS.createGeneralNameAsConstraintsConfig( + mNameDot + PROP_BASE, mConfig.getSubStore(PROP_BASE), + true, policyEnabled); if (policyEnabled) { - mGeneralSubtree = new GeneralSubtree(mBase.getGeneralName(), mMin, - mMax); + mGeneralSubtree = + new GeneralSubtree(mBase.getGeneralName(), mMin, mMax); } } @@ -458,9 +471,9 @@ class Subtree { if (name != null && name.length() > 0) nameDot = name + "."; - CMS.getGeneralNameConfigExtendedPluginInfo(nameDot + PROP_BASE, true, - info); + CMS.getGeneralNameConfigExtendedPluginInfo(nameDot + PROP_BASE, true, info); info.addElement(nameDot + PROP_MIN + ";" + MINMAX_INFO); info.addElement(nameDot + PROP_MAX + ";" + MINMAX_INFO); } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java index fd0f8999..e5cbab53 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/OCSPNoCheckExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -38,25 +39,25 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * This implements an OCSP Signing policy, it adds the OCSP Signing extension to - * the certificate. + * This implements an OCSP Signing policy, it + * adds the OCSP Signing extension to the certificate. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$ $Date$ */ -public class OCSPNoCheckExt extends APolicyRule implements IEnrollmentPolicy, - IExtendedPluginInfo { - +public class OCSPNoCheckExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { + public static final String PROP_CRITICAL = "critical"; private boolean mCritical = false; - + // PKIX specifies the that the extension SHOULD NOT be critical public static final boolean DEFAULT_CRITICALITY = false; @@ -72,12 +73,12 @@ public class OCSPNoCheckExt extends APolicyRule implements IEnrollmentPolicy, public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL - + ";boolean;RFC 2560 recommendation: SHOULD be non-critical.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-ocspnocheck", - IExtendedPluginInfo.HELP_TEXT - + ";Adds OCSP signing extension to certificate" }; + PROP_CRITICAL + ";boolean;RFC 2560 recommendation: SHOULD be non-critical.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-ocspnocheck", + IExtendedPluginInfo.HELP_TEXT + + ";Adds OCSP signing extension to certificate" + }; return params; @@ -87,12 +88,13 @@ public class OCSPNoCheckExt extends APolicyRule implements IEnrollmentPolicy, * Performs one-time initialization of the policy. */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mOCSPNoCheck = new OCSPNoCheckExtension(); - + if (mOCSPNoCheck != null) { // configure the extension itself - mCritical = config.getBoolean(PROP_CRITICAL, DEFAULT_CRITICALITY); + mCritical = config.getBoolean(PROP_CRITICAL, + DEFAULT_CRITICALITY); mOCSPNoCheck.setCritical(mCritical); } } @@ -107,7 +109,8 @@ public class OCSPNoCheckExt extends APolicyRule implements IEnrollmentPolicy, return PolicyResult.ACCEPTED; } - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -127,24 +130,23 @@ public class OCSPNoCheckExt extends APolicyRule implements IEnrollmentPolicy, try { // find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); // prepare the extensions data structure if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { try { extensions.delete(OCSPNoCheckExtension.NAME); } catch (IOException ex) { // OCSPNoCheck extension is not already there - // log(ILogger.LL_FAILURE, - // "No previous extension: "+OCSPNoCheckExtension.NAME+" "+ex.getMessage()); + // log(ILogger.LL_FAILURE, "No previous extension: "+OCSPNoCheckExtension.NAME+" "+ex.getMessage()); } } @@ -153,22 +155,18 @@ public class OCSPNoCheckExt extends APolicyRule implements IEnrollmentPolicy, return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, + e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), NAME, + e.getMessage()); return PolicyResult.REJECTED; } } - + /** * Returns instance parameters. */ @@ -177,9 +175,9 @@ public class OCSPNoCheckExt extends APolicyRule implements IEnrollmentPolicy, params.addElement(PROP_CRITICAL + "=" + mCritical); return params; - + } - + /** * Returns default parameters. */ @@ -188,6 +186,6 @@ public class OCSPNoCheckExt extends APolicyRule implements IEnrollmentPolicy, defParams.addElement(PROP_CRITICAL + "=false"); return defParams; - + } } diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java index 733b7525..717c19f7 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyConstraintsExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -39,28 +40,31 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Policy Constraints Extension Policy Adds the policy constraints extension to - * (CA) certificates. Filtering of CA certificates is done through predicates. + * Policy Constraints Extension Policy + * Adds the policy constraints extension to (CA) certificates. + * Filtering of CA certificates is done through predicates. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class PolicyConstraintsExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class PolicyConstraintsExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; - protected static final String PROP_REQ_EXPLICIT_POLICY = "reqExplicitPolicy"; - protected static final String PROP_INHIBIT_POLICY_MAPPING = "inhibitPolicyMapping"; + protected static final String + PROP_REQ_EXPLICIT_POLICY = "reqExplicitPolicy"; + protected static final String + PROP_INHIBIT_POLICY_MAPPING = "inhibitPolicyMapping"; protected static final boolean DEF_CRITICAL = false; - protected static final int DEF_REQ_EXPLICIT_POLICY = -1; // not set - protected static final int DEF_INHIBIT_POLICY_MAPPING = -1; // not set + protected static final int DEF_REQ_EXPLICIT_POLICY = -1; // not set + protected static final int DEF_INHIBIT_POLICY_MAPPING = -1; // not set protected boolean mEnabled = false; protected IConfigStore mConfig = null; @@ -75,10 +79,10 @@ public class PolicyConstraintsExt extends APolicyRule implements protected static Vector mDefaultParams = new Vector(); static { mDefaultParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefaultParams.addElement(PROP_REQ_EXPLICIT_POLICY + "=" - + DEF_REQ_EXPLICIT_POLICY); - mDefaultParams.addElement(PROP_INHIBIT_POLICY_MAPPING + "=" - + DEF_INHIBIT_POLICY_MAPPING); + mDefaultParams.addElement( + PROP_REQ_EXPLICIT_POLICY + "=" + DEF_REQ_EXPLICIT_POLICY); + mDefaultParams.addElement( + PROP_INHIBIT_POLICY_MAPPING + "=" + DEF_INHIBIT_POLICY_MAPPING); } public PolicyConstraintsExt() { @@ -89,90 +93,100 @@ public class PolicyConstraintsExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate=certType==ca - * ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate=certType==ca + * ca.Policy.rule.<ruleName>.implName= + * ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - // XXX should do do this ? - // if CA does not allow subordinate CAs by way of basic constraints, - // this policy always rejects + // XXX should do do this ? + // if CA does not allow subordinate CAs by way of basic constraints, + // this policy always rejects /***** - * ICertAuthority certAuthority = (ICertAuthority) - * ((GenericPolicyProcessor)owner).mAuthority; if (certAuthority - * instanceof ICertificateAuthority) { CertificateChain caChain = - * certAuthority.getCACertChain(); X509Certificate caCert = null; // - * Note that in RA the chain could be null if CA was not up when // RA - * was started. In that case just set the length to -1 and let // CA - * reject if it does not allow any subordinate CA certs. if (caChain != - * null) { caCert = caChain.getFirstCertificate(); if (caCert != null) - * mCAPathLen = caCert.getBasicConstraints(); } } + ICertAuthority certAuthority = (ICertAuthority) + ((GenericPolicyProcessor)owner).mAuthority; + if (certAuthority instanceof ICertificateAuthority) { + CertificateChain caChain = certAuthority.getCACertChain(); + X509Certificate caCert = null; + // Note that in RA the chain could be null if CA was not up when + // RA was started. In that case just set the length to -1 and let + // CA reject if it does not allow any subordinate CA certs. + if (caChain != null) { + caCert = caChain.getFirstCertificate(); + if (caCert != null) + mCAPathLen = caCert.getBasicConstraints(); + } + } ****/ - mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); - mReqExplicitPolicy = mConfig.getInteger(PROP_REQ_EXPLICIT_POLICY, - DEF_REQ_EXPLICIT_POLICY); - mInhibitPolicyMapping = mConfig.getInteger(PROP_INHIBIT_POLICY_MAPPING, - DEF_INHIBIT_POLICY_MAPPING); + mReqExplicitPolicy = mConfig.getInteger( + PROP_REQ_EXPLICIT_POLICY, DEF_REQ_EXPLICIT_POLICY); + mInhibitPolicyMapping = mConfig.getInteger( + PROP_INHIBIT_POLICY_MAPPING, DEF_INHIBIT_POLICY_MAPPING); - if (mReqExplicitPolicy < -1) + if (mReqExplicitPolicy < -1) mReqExplicitPolicy = -1; - if (mInhibitPolicyMapping < -1) + if (mInhibitPolicyMapping < -1) mInhibitPolicyMapping = -1; - - // create instance of policy constraings extension + + // create instance of policy constraings extension try { - mPolicyConstraintsExtension = new PolicyConstraintsExtension( - mCritical, mReqExplicitPolicy, mInhibitPolicyMapping); - CMS.debug("PolicyConstraintsExt: Created Policy Constraints Extension: " - + mPolicyConstraintsExtension); + mPolicyConstraintsExtension = + new PolicyConstraintsExtension(mCritical, + mReqExplicitPolicy, mInhibitPolicyMapping); + CMS.debug( + "PolicyConstraintsExt: Created Policy Constraints Extension: " + + mPolicyConstraintsExtension); } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT", e.toString())); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", - "Could not init Policy Constraints Extension. Error: " + e)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_CANT_INIT_POLICY_CONST_EXT", e.toString())); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Could not init Policy Constraints Extension. Error: " + e)); } - // form instance params + // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement(PROP_REQ_EXPLICIT_POLICY + "=" - + mReqExplicitPolicy); - mInstanceParams.addElement(PROP_INHIBIT_POLICY_MAPPING + "=" - + mInhibitPolicyMapping); + mInstanceParams.addElement( + PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy); + mInstanceParams.addElement( + PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping); } /** * Adds Policy Constraints Extension to a (CA) certificate. * - * If a Policy constraints Extension is already there, accept it if it's - * been approved by agent, else replace it. - * - * @param req The request on which to apply policy. + * If a Policy constraints Extension is already there, accept it if + * it's been approved by agent, else replace it. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { - // if extension hasn't been properly configured reject requests until + // if extension hasn't been properly configured reject requests until // it has been resolved (or disabled). if (mPolicyConstraintsExtension == null) { return PolicyResult.ACCEPTED; } // get certInfo from request. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -191,16 +205,16 @@ public class PolicyConstraintsExt extends APolicyRule implements // else ignore. try { PolicyConstraintsExtension policyConstraintsExt = null; - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { - policyConstraintsExt = (PolicyConstraintsExtension) extensions - .get(PolicyConstraintsExtension.NAME); + policyConstraintsExt = (PolicyConstraintsExtension) + extensions.get(PolicyConstraintsExtension.NAME); } } catch (IOException e) { - // extension isn't there. + // extension isn't there. } if (policyConstraintsExt != null) { @@ -212,69 +226,65 @@ public class PolicyConstraintsExt extends APolicyRule implements } if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } - extensions.set("PolicyConstriantsExt", mPolicyConstraintsExtension); + extensions.set( + "PolicyConstriantsExt", mPolicyConstraintsExtension); CMS.debug("PolicyConstraintsExt: added our policy constraints extension"); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT", e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_CANT_PROCESS_POLICY_CONST_EXT", e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefaultParams; } /** - * gets plugin info for pretty console edit displays. + * gets plugin info for pretty console edit displays. */ public String[] getExtendedPluginInfo(Locale locale) { mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement(PROP_REQ_EXPLICIT_POLICY + "=" - + mReqExplicitPolicy); - mInstanceParams.addElement(PROP_INHIBIT_POLICY_MAPPING + "=" - + mInhibitPolicyMapping); + mInstanceParams.addElement( + PROP_REQ_EXPLICIT_POLICY + "=" + mReqExplicitPolicy); + mInstanceParams.addElement( + PROP_INHIBIT_POLICY_MAPPING + "=" + mInhibitPolicyMapping); String[] params = { - PROP_CRITICAL - + ";boolean;RFC 2459 recommendation: may be critical or non-critical.", - PROP_REQ_EXPLICIT_POLICY - + ";integer;Number of addional certificates that may appear in the path before an explicit policy is required. If less than 0 this field is unset in the extension.", - PROP_INHIBIT_POLICY_MAPPING - + ";integer;Number of addional certificates that may appear in the path before policy mapping is no longer permitted. If less than 0 this field is unset in the extension.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-policyconstraints" }; + PROP_CRITICAL + ";boolean;RFC 2459 recommendation: may be critical or non-critical.", + PROP_REQ_EXPLICIT_POLICY + ";integer;Number of addional certificates that may appear in the path before an explicit policy is required. If less than 0 this field is unset in the extension.", + PROP_INHIBIT_POLICY_MAPPING + ";integer;Number of addional certificates that may appear in the path before policy mapping is no longer permitted. If less than 0 this field is unset in the extension.", + IExtendedPluginInfo.HELP_TOKEN + ";configuration-policyrules-policyconstraints" + }; return params; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java index 24f202f3..452a9a3f 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PolicyMappingsExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -42,21 +43,22 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Policy Mappings Extension Policy Adds the Policy Mappings extension to a (CA) - * certificate. Filtering of CA certificates is done through predicates. + * Policy Mappings Extension Policy + * Adds the Policy Mappings extension to a (CA) certificate. + * Filtering of CA certificates is done through predicates. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class PolicyMappingsExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class PolicyMappingsExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_NUM_POLICYMAPPINGS = "numPolicyMappings"; @@ -83,47 +85,53 @@ public class PolicyMappingsExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate=certType==ca - * ca.Policy.rule.<ruleName>.implName= ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate=certType==ca + * ca.Policy.rule.<ruleName>.implName= + * ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - // XXX should do do this ? - // if CA does not allow subordinate CAs by way of basic constraints, - // this policy always rejects + // XXX should do do this ? + // if CA does not allow subordinate CAs by way of basic constraints, + // this policy always rejects /***** - * ICertAuthority certAuthority = (ICertAuthority) - * ((IPolicyProcessor)owner).getAuthority(); if (certAuthority - * instanceof ICertificateAuthority) { CertificateChain caChain = - * certAuthority.getCACertChain(); X509Certificate caCert = null; // - * Note that in RA the chain could be null if CA was not up when // RA - * was started. In that case just set the length to -1 and let // CA - * reject if it does not allow any subordinate CA certs. if (caChain != - * null) { caCert = caChain.getFirstCertificate(); if (caCert != null) - * mCAPathLen = caCert.getBasicConstraints(); } } + ICertAuthority certAuthority = (ICertAuthority) + ((IPolicyProcessor)owner).getAuthority(); + if (certAuthority instanceof ICertificateAuthority) { + CertificateChain caChain = certAuthority.getCACertChain(); + X509Certificate caCert = null; + // Note that in RA the chain could be null if CA was not up when + // RA was started. In that case just set the length to -1 and let + // CA reject if it does not allow any subordinate CA certs. + if (caChain != null) { + caCert = caChain.getFirstCertificate(); + if (caCert != null) + mCAPathLen = caCert.getBasicConstraints(); + } + } ****/ - mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); - mNumPolicyMappings = mConfig.getInteger(PROP_NUM_POLICYMAPPINGS, - DEF_NUM_POLICYMAPPINGS); + mNumPolicyMappings = mConfig.getInteger( + PROP_NUM_POLICYMAPPINGS, DEF_NUM_POLICYMAPPINGS); if (mNumPolicyMappings < 1) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INVALID_ATTR_VALUE_2", NAME, "")); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", PROP_NUM_POLICYMAPPINGS, - "value must be greater than or equal to 1")); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_ATTR_VALUE_2", NAME, "")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_NUM_POLICYMAPPINGS, + "value must be greater than or equal to 1")); } - // init Policy Mappings, check values if enabled. + // init Policy Mappings, check values if enabled. mPolicyMaps = new PolicyMap[mNumPolicyMappings]; for (int i = 0; i < mNumPolicyMappings; i++) { String subtreeName = PROP_POLICYMAP + i; @@ -131,11 +139,8 @@ public class PolicyMappingsExt extends APolicyRule implements try { mPolicyMaps[i] = new PolicyMap(subtreeName, mConfig, mEnabled); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - NAME - + ": " - + CMS.getLogMessage("POLICY_ERROR_CREATE_MAP", - e.toString())); + log(ILogger.LL_FAILURE, NAME + ": " + + CMS.getLogMessage("POLICY_ERROR_CREATE_MAP", e.toString())); throw e; } } @@ -146,22 +151,22 @@ public class PolicyMappingsExt extends APolicyRule implements Vector certPolicyMaps = new Vector(); for (int j = 0; j < mNumPolicyMappings; j++) { - certPolicyMaps - .addElement(mPolicyMaps[j].mCertificatePolicyMap); + certPolicyMaps.addElement( + mPolicyMaps[j].mCertificatePolicyMap); } - mPolicyMappingsExtension = new PolicyMappingsExtension( - mCritical, certPolicyMaps); + mPolicyMappingsExtension = + new PolicyMappingsExtension(mCritical, certPolicyMaps); } catch (IOException e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", "Error initializing " + NAME - + " Error: " + e)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Error initializing " + NAME + " Error: " + e)); } } - // form instance params + // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement(PROP_NUM_POLICYMAPPINGS + "=" - + mNumPolicyMappings); + mInstanceParams.addElement( + PROP_NUM_POLICYMAPPINGS + "=" + mNumPolicyMappings); for (int i = 0; i < mNumPolicyMappings; i++) { mPolicyMaps[i].getInstanceParams(mInstanceParams); } @@ -170,27 +175,28 @@ public class PolicyMappingsExt extends APolicyRule implements /** * Adds policy mappings Extension to a (CA) certificate. * - * If a policy mappings Extension is already there, accept it if it's been - * approved by agent, else replace it. - * - * @param req The request on which to apply policy. + * If a policy mappings Extension is already there, accept it if + * it's been approved by agent, else replace it. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { - // if extension hasn't been properly configured reject requests until + // if extension hasn't been properly configured reject requests until // it has been resolved (or disabled). if (mPolicyMappingsExtension == null) { - // setError(req, PolicyResources.EXTENSION_NOT_INITED_1, NAME); - // return PolicyResult.REJECTED; + //setError(req, PolicyResources.EXTENSION_NOT_INITED_1, NAME); + //return PolicyResult.REJECTED; return PolicyResult.ACCEPTED; } // get certInfo from request. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -208,16 +214,16 @@ public class PolicyMappingsExt extends APolicyRule implements // else ignore. try { PolicyMappingsExtension policyMappingsExt = null; - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { - policyMappingsExt = (PolicyMappingsExtension) extensions - .get(PolicyMappingsExtension.NAME); + policyMappingsExt = (PolicyMappingsExtension) + extensions.get(PolicyMappingsExtension.NAME); } } catch (IOException e) { - // extension isn't there. + // extension isn't there. } if (policyMappingsExt != null) { @@ -229,93 +235,88 @@ public class PolicyMappingsExt extends APolicyRule implements } if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } - extensions.set(PolicyMappingsExtension.NAME, - mPolicyMappingsExtension); + extensions.set( + PolicyMappingsExtension.NAME, mPolicyMappingsExtension); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_PROCESS_POLICYMAP_EXT", - e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_PROCESS_POLICYMAP_EXT", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** - * Default config parameters. To add more permitted or excluded subtrees, - * increase the num to greater than 0 and more configuration params will - * show up in the console. + * Default config parameters. + * To add more permitted or excluded subtrees, + * increase the num to greater than 0 and more configuration params + * will show up in the console. */ private static Vector mDefParams = new Vector(); static { mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefParams.addElement(PROP_NUM_POLICYMAPPINGS + "=" - + DEF_NUM_POLICYMAPPINGS); + mDefParams.addElement( + PROP_NUM_POLICYMAPPINGS + "=" + DEF_NUM_POLICYMAPPINGS); String policyMap0Dot = PROP_POLICYMAP + "0."; - mDefParams.addElement(policyMap0Dot - + PolicyMap.PROP_ISSUER_DOMAIN_POLICY + "=" + ""); - mDefParams.addElement(policyMap0Dot - + PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + "=" + ""); + mDefParams.addElement( + policyMap0Dot + PolicyMap.PROP_ISSUER_DOMAIN_POLICY + "=" + ""); + mDefParams.addElement( + policyMap0Dot + PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + "=" + ""); } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } public String[] getExtendedPluginInfo(Locale locale) { Vector theparams = new Vector(); + + theparams.addElement(PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST be non-critical."); + theparams.addElement(PROP_NUM_POLICYMAPPINGS + ";number; Number of policy mappings. The value must be greater than or equal to 1"); - theparams.addElement(PROP_CRITICAL - + ";boolean;RFC 2459 recommendation: MUST be non-critical."); - theparams - .addElement(PROP_NUM_POLICYMAPPINGS - + ";number; Number of policy mappings. The value must be greater than or equal to 1"); - - String policyInfo = ";string;An object identifier in the form n.n.n.n"; + String policyInfo = + ";string;An object identifier in the form n.n.n.n"; for (int k = 0; k < 5; k++) { String policyMapkDot = PROP_POLICYMAP + k + "."; - theparams.addElement(policyMapkDot - + PolicyMap.PROP_ISSUER_DOMAIN_POLICY + policyInfo); - theparams.addElement(policyMapkDot - + PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + policyInfo); + theparams.addElement(policyMapkDot + + PolicyMap.PROP_ISSUER_DOMAIN_POLICY + policyInfo); + theparams.addElement(policyMapkDot + + PolicyMap.PROP_SUBJECT_DOMAIN_POLICY + policyInfo); } - theparams.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-policymappings"); - theparams.addElement(IExtendedPluginInfo.HELP_TEXT - + ";Adds Policy Mappings Extension. See RFC 2459 (4.2.1.6)"); + theparams.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-policymappings"); + theparams.addElement(IExtendedPluginInfo.HELP_TEXT + + ";Adds Policy Mappings Extension. See RFC 2459 (4.2.1.6)"); String[] params = new String[theparams.size()]; @@ -324,6 +325,7 @@ public class PolicyMappingsExt extends APolicyRule implements } } + class PolicyMap { protected static String PROP_ISSUER_DOMAIN_POLICY = "issuerDomainPolicy"; @@ -338,89 +340,89 @@ class PolicyMap { /** * forms policy map parameters. - * * @param name name of this policy map, for example policyMap0 * @param config parent's config from where we find this configuration. * @param enabled whether policy was enabled. */ - protected PolicyMap(String name, IConfigStore config, boolean enabled) - throws EBaseException { + protected PolicyMap(String name, IConfigStore config, boolean enabled) + throws EBaseException { mName = name; mConfig = config.getSubStore(mName); mNameDot = mName + "."; - if (mConfig == null) { - CMS.debug("PolicyMappingsExt::PolicyMap - mConfig is null!"); + if( mConfig == null ) { + CMS.debug( "PolicyMappingsExt::PolicyMap - mConfig is null!" ); return; } // if there's no configuration for this map put it there. if (mConfig.size() == 0) { - config.putString(mNameDot + PROP_ISSUER_DOMAIN_POLICY, ""); - config.putString(mNameDot + PROP_SUBJECT_DOMAIN_POLICY, ""); + config.putString(mNameDot + PROP_ISSUER_DOMAIN_POLICY, ""); + config.putString(mNameDot + PROP_SUBJECT_DOMAIN_POLICY, ""); mConfig = config.getSubStore(mName); if (mConfig == null || mConfig.size() == 0) { - CMS.debug("PolicyMappingsExt::PolicyMap - mConfig " - + "is null or empty!"); + CMS.debug( "PolicyMappingsExt::PolicyMap - mConfig " + + "is null or empty!" ); return; } } // get policy ids from configuration. - mIssuerDomainPolicy = mConfig - .getString(PROP_ISSUER_DOMAIN_POLICY, null); - mSubjectDomainPolicy = mConfig.getString(PROP_SUBJECT_DOMAIN_POLICY, - null); + mIssuerDomainPolicy = + mConfig.getString(PROP_ISSUER_DOMAIN_POLICY, null); + mSubjectDomainPolicy = + mConfig.getString(PROP_SUBJECT_DOMAIN_POLICY, null); // adjust for "" and console returning "null" - if (mIssuerDomainPolicy != null - && (mIssuerDomainPolicy.length() == 0 || mIssuerDomainPolicy - .equals("null"))) { + if (mIssuerDomainPolicy != null && + (mIssuerDomainPolicy.length() == 0 || + mIssuerDomainPolicy.equals("null"))) { mIssuerDomainPolicy = null; } - if (mSubjectDomainPolicy != null - && (mSubjectDomainPolicy.length() == 0 || mSubjectDomainPolicy - .equals("null"))) { + if (mSubjectDomainPolicy != null && + (mSubjectDomainPolicy.length() == 0 || + mSubjectDomainPolicy.equals("null"))) { mSubjectDomainPolicy = null; } // policy ids cannot be null if policy is enabled. String msg = "value cannot be null."; - if (mIssuerDomainPolicy == null && enabled) - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", mNameDot - + PROP_ISSUER_DOMAIN_POLICY, msg)); - if (mSubjectDomainPolicy == null && enabled) - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", mNameDot - + PROP_SUBJECT_DOMAIN_POLICY, msg)); + if (mIssuerDomainPolicy == null && enabled) + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + mNameDot + PROP_ISSUER_DOMAIN_POLICY, msg)); + if (mSubjectDomainPolicy == null && enabled) + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + mNameDot + PROP_SUBJECT_DOMAIN_POLICY, msg)); - // if a policy id is not null check that it is a valid OID. + // if a policy id is not null check that it is a valid OID. ObjectIdentifier issuerPolicyId = null; ObjectIdentifier subjectPolicyId = null; - if (mIssuerDomainPolicy != null) - issuerPolicyId = CMS.checkOID(mNameDot + PROP_ISSUER_DOMAIN_POLICY, - mIssuerDomainPolicy); - if (mSubjectDomainPolicy != null) - subjectPolicyId = CMS.checkOID(mNameDot - + PROP_SUBJECT_DOMAIN_POLICY, mSubjectDomainPolicy); - - // if enabled, form CertificatePolicyMap to be encoded in extension. - // policy ids should be all set. + if (mIssuerDomainPolicy != null) + issuerPolicyId = CMS.checkOID( + mNameDot + PROP_ISSUER_DOMAIN_POLICY, mIssuerDomainPolicy); + if (mSubjectDomainPolicy != null) + subjectPolicyId = CMS.checkOID( + mNameDot + PROP_SUBJECT_DOMAIN_POLICY, mSubjectDomainPolicy); + + // if enabled, form CertificatePolicyMap to be encoded in extension. + // policy ids should be all set. if (enabled) { mCertificatePolicyMap = new CertificatePolicyMap( - new CertificatePolicyId(issuerPolicyId), - new CertificatePolicyId(subjectPolicyId)); + new CertificatePolicyId(issuerPolicyId), + new CertificatePolicyId(subjectPolicyId)); } } protected void getInstanceParams(Vector instanceParams) { - instanceParams.addElement(mNameDot + PROP_ISSUER_DOMAIN_POLICY + "=" - + (mIssuerDomainPolicy == null ? "" : mIssuerDomainPolicy)); - instanceParams.addElement(mNameDot + PROP_SUBJECT_DOMAIN_POLICY + "=" - + (mSubjectDomainPolicy == null ? "" : mSubjectDomainPolicy)); + instanceParams.addElement( + mNameDot + PROP_ISSUER_DOMAIN_POLICY + "=" + (mIssuerDomainPolicy == null ? "" : + mIssuerDomainPolicy)); + instanceParams.addElement( + mNameDot + PROP_SUBJECT_DOMAIN_POLICY + "=" + (mSubjectDomainPolicy == null ? "" : + mSubjectDomainPolicy)); } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java index b88027a4..41f08963 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PresenceExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.util.Locale; import java.util.Vector; @@ -31,12 +32,11 @@ import com.netscape.cms.policy.APolicyRule; /** * Checks extension presence. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ @@ -77,7 +77,7 @@ public class PresenceExt extends APolicyRule { } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; mCritical = config.getBoolean(PROP_IS_CRITICAL, false); @@ -97,18 +97,19 @@ public class PresenceExt extends APolicyRule { PolicyResult res = PolicyResult.ACCEPTED; /* - * PresenceServerExtension ext = new PresenceServerExtension(mCritical, - * mOID, mVersion, mStreetAddress, mTelephoneNumber, mRFC822Name, mID, - * mHostName, mPortNumber, mMaxUsers, mServiceLevel); + PresenceServerExtension ext = new PresenceServerExtension(mCritical, + mOID, mVersion, mStreetAddress, + mTelephoneNumber, mRFC822Name, mID, + mHostName, mPortNumber, mMaxUsers, mServiceLevel); */ - + return res; } - public Vector getInstanceParams() { - Vector params = new Vector(); + public Vector getInstanceParams() { + Vector params = new Vector(); - params.addElement(PROP_IS_CRITICAL + "=" + mCritical); + params.addElement(PROP_IS_CRITICAL + "=" + mCritical); params.addElement(PROP_OID + "=" + mOID); params.addElement(PROP_VERSION + "=" + mVersion); params.addElement(PROP_STREET_ADDRESS + "=" + mStreetAddress); @@ -135,22 +136,22 @@ public class PresenceExt extends APolicyRule { PROP_PORT_NUMBER + ";string; port number", PROP_MAX_USERS + ";string; max users", PROP_SERVICE_LEVEL + ";string; service level", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-presenceext", - IExtendedPluginInfo.HELP_TEXT - + ";Adds Presence Server Extension;" + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-presenceext", + IExtendedPluginInfo.HELP_TEXT + + ";Adds Presence Server Extension;" - }; + }; return params; } - + /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } } diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java index d4639c83..ff0d5749 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.text.SimpleDateFormat; @@ -41,20 +42,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * PrivateKeyUsagePeriod Identifier Extension policy. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class PrivateKeyUsagePeriodExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class PrivateKeyUsagePeriodExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { private final static String PROP_NOT_BEFORE = "notBefore"; private final static String PROP_NOT_AFTER = "notAfter"; @@ -92,20 +93,18 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_IS_CRITICAL - + ";boolean;RFC 2459 recommendation: The profile " - + "recommends against the use of this extension. CAs " - + "conforming to the profile MUST NOT generate certs with " - + "critical private key usage period extensions.", - PROP_NOT_BEFORE - + ";string; Date before which the Private Key is invalid.", - PROP_NOT_AFTER - + ";string; Date after which the Private Key is invalid.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-privatekeyusageperiod", - IExtendedPluginInfo.HELP_TEXT - + ";Adds (deprecated) Private Key Usage Period Extension. " - + "Defined in RFC 2459 (4.2.1.4)" }; + PROP_IS_CRITICAL + ";boolean;RFC 2459 recommendation: The profile " + + "recommends against the use of this extension. CAs " + + "conforming to the profile MUST NOT generate certs with " + + "critical private key usage period extensions.", + PROP_NOT_BEFORE + ";string; Date before which the Private Key is invalid.", + PROP_NOT_AFTER + ";string; Date after which the Private Key is invalid.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-privatekeyusageperiod", + IExtendedPluginInfo.HELP_TEXT + + ";Adds (deprecated) Private Key Usage Period Extension. " + + "Defined in RFC 2459 (4.2.1.4)" + }; return params; } @@ -120,17 +119,17 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule implements /** * Initializes this policy rule. - * ra.Policy.rule.<ruleName>.implName=PrivateKeyUsageExtension - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.notBefore=30 - * ra.Policy.rule.<ruleName>.notAfter=180 - * ra.Policy.rule.<ruleName>.critical=false - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * ra.Policy.rule.<ruleName>.implName=PrivateKeyUsageExtension + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.notBefore=30 + * ra.Policy.rule.<ruleName>.notAfter=180 + * ra.Policy.rule.<ruleName>.critical=false + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { try { // Get params. @@ -146,29 +145,29 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule implements notAfter = formatter.format(formatter.parse(mNotAfter.trim())); } catch (Exception e) { // e.printStackTrace(); - Object[] params = { getInstanceName(), e }; + Object[] params = {getInstanceName(), e}; throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), - params); + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params); } } /** - * Adds a private key usage extension if none exists. - * - * @param req The request on which to apply policy. + * Adds a private key usage extension if none exists. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -188,8 +187,8 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule implements try { // get subject key id extension if any. - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); } catch (IOException e) { // no extensions or subject key identifier extension. } catch (CertificateException e) { @@ -202,26 +201,25 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule implements // remove any previously computed version of the extension try { extensions.delete(PrivateKeyUsageExtension.NAME); - + } catch (IOException e) { } } try { - ext = new PrivateKeyUsageExtension(formatter.parse(mNotBefore), - formatter.parse(mNotAfter)); - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + ext = new PrivateKeyUsageExtension( + formatter.parse(mNotBefore), + formatter.parse(mNotAfter)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions.set(PrivateKeyUsageExtension.NAME, ext); } catch (Exception e) { - if (e instanceof RuntimeException) + if (e instanceof RuntimeException) throw (RuntimeException) e; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_CREATE_PRIVATE_KEY_EXT", - e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR"), NAME); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_CREATE_PRIVATE_KEY_EXT", e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR"), NAME); return PolicyResult.REJECTED; } return PolicyResult.ACCEPTED; @@ -229,11 +227,11 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return Empty Vector since this policy has no configuration parameters. - * for this policy instance. + * for this policy instance. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); params.addElement(PROP_IS_CRITICAL + "=" + mCritical); @@ -244,11 +242,11 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule implements /** * Return default parameters for a policy implementation. - * - * @return Empty Vector since this policy implementation has no - * configuration parameters. + * + * @return Empty Vector since this policy implementation has no + * configuration parameters. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); defParams.addElement(PROP_IS_CRITICAL + "=" + DEFAULT_CRITICALITY); @@ -257,3 +255,4 @@ public class PrivateKeyUsagePeriodExt extends APolicyRule implements return defParams; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java index f2a2c25c..de39cccd 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/RemoveBasicConstraintsExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -36,64 +37,66 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Remove Basic Constraints policy. Adds the Basic constraints extension. + * Remove Basic Constraints policy. + * Adds the Basic constraints extension. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class RemoveBasicConstraintsExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class RemoveBasicConstraintsExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { public RemoveBasicConstraintsExt() { NAME = "RemoveBasicConstraintsExt"; DESC = "Remove Basic Constraints extension"; } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { } public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // get cert info. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); X509CertInfo certInfo = null; if (ci == null || (certInfo = ci[0]) == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } for (int i = 0; i < ci.length; i++) { PolicyResult certResult = applyCert(req, certInfo); - if (certResult == PolicyResult.REJECTED) + if (certResult == PolicyResult.REJECTED) return certResult; } return PolicyResult.ACCEPTED; } - public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { + public PolicyResult applyCert( + IRequest req, X509CertInfo certInfo) { // get basic constraints extension from cert info if any. CertificateExtensions extensions = null; try { // get basic constraints extension if any. - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); if (extensions != null) { try { extensions.delete(BasicConstraintsExtension.NAME); - CMS.debug("PolicyRule RemoveBasicConstraintsExt: removed the extension from request " - + req.getRequestId().toString()); + CMS.debug("PolicyRule RemoveBasicConstraintsExt: removed the extension from request " + req.getRequestId().toString()); } catch (IOException e) { } } @@ -107,10 +110,10 @@ public class RemoveBasicConstraintsExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); return params; @@ -118,10 +121,10 @@ public class RemoveBasicConstraintsExt extends APolicyRule implements /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); return defParams; @@ -129,12 +132,14 @@ public class RemoveBasicConstraintsExt extends APolicyRule implements public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-removebasicconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Removes the Basic Constraints extension." }; + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-removebasicconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Removes the Basic Constraints extension." + }; return params; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java index f4fac64f..c9ce68f6 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjAltNameExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Locale; @@ -41,53 +42,56 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * - * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2. New Policy is - * com.netscape.certsrv.policy.SubjectAltNameExt. + * THIS POLICY HAS BEEN DEPRECATED SINCE CMS 4.2. + * New Policy is com.netscape.certsrv.policy.SubjectAltNameExt. * <p> * * Subject Alternative Name extension policy in CMS 4.1. - * - * Adds the subject alternative name extension depending on the certificate type - * requested. - * - * Two forms are supported. 1) For S/MIME certificates, email addresses are - * copied from data stored in the request by the authentication component. Both - * 'e' and 'altEmail' are supported so that both the primary address and - * alternative forms may be certified. Only the primary goes in the subjectName - * position (which should be phased out). - * - * e mailAlternateAddress + * + * Adds the subject alternative name extension depending on the + * certificate type requested. + * + * Two forms are supported. 1) For S/MIME certificates, email + * addresses are copied from data stored in the request by the + * authentication component. Both 'e' and 'altEmail' are supported + * so that both the primary address and alternative forms may be + * certified. Only the primary goes in the subjectName position (which + * should be phased out). + * + * e + * mailAlternateAddress * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, - IExtendedPluginInfo { - // for future use. currently always allow. +public class SubjAltNameExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { + // for future use. currently always allow. protected static final String PROP_AGENT_OVERR = "allowAgentOverride"; protected static final String PROP_EE_OVERR = "AllowEEOverride"; - protected static final String PROP_ENABLE_MANUAL_VALUES = "enableManualValues"; + protected static final String PROP_ENABLE_MANUAL_VALUES = + "enableManualValues"; - // for future use. currently always non-critical - // (standard says SHOULD be marked critical if included.) + // for future use. currently always non-critical + // (standard says SHOULD be marked critical if included.) protected static final String PROP_CRITICAL = "critical"; - // for future use to allow overrides from forms. + // for future use to allow overrides from forms. // request must be agent approved or authenticated. protected boolean mAllowAgentOverride = false; protected boolean mAllowEEOverride = false; protected boolean mEnableManualValues = false; - // for future use. currently always critical - // (standard says SHOULD be marked critical if included.) + // for future use. currently always critical + // (standard says SHOULD be marked critical if included.) protected boolean mCritical = false; public SubjAltNameExt() { @@ -97,18 +101,18 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL - + ";boolean;RFC 2459 recommendation: If the certificate subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-subjaltname", - IExtendedPluginInfo.HELP_TEXT - + ";This policy inserts the Subject Alternative Name " - + "Extension into the certificate. See RFC 2459 (4.2.1.7). " - + "* Note: you probably want to use this policy in " - + "conjunction with an authentication manager which sets " - + "the 'mail' or 'mailalternateaddress' values in the authToken. " - + "See the 'ldapStringAttrs' parameter in the Directory-based " - + "authentication plugin" }; + PROP_CRITICAL + ";boolean;RFC 2459 recommendation: If the certificate subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subjaltname", + IExtendedPluginInfo.HELP_TEXT + + ";This policy inserts the Subject Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.7). " + + "* Note: you probably want to use this policy in " + + "conjunction with an authentication manager which sets " + + "the 'mail' or 'mailalternateaddress' values in the authToken. " + + "See the 'ldapStringAttrs' parameter in the Directory-based " + + "authentication plugin" + }; return params; @@ -117,40 +121,40 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=SubjAltNameExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=SubjAltNameExt + * ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // future use. mAllowAgentOverride = config.getBoolean(PROP_AGENT_OVERR, false); mAllowEEOverride = config.getBoolean(PROP_EE_OVERR, false); mCritical = config.getBoolean(PROP_CRITICAL, false); - // mEnableManualValues = config.getBoolean(PROP_ENABLE_MANUAL_VALUES, - // false); + // mEnableManualValues = config.getBoolean(PROP_ENABLE_MANUAL_VALUES, false); } /** * Adds the subject alternative names extension if not set already. - * + * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // Find the X509CertInfo object in the request - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -170,11 +174,12 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, // // General error handling block // - apply: try { + apply: + try { // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); if (extensions != null) { // @@ -188,16 +193,17 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, } // - // Determine the type of the request. For future expansion + // Determine the type of the request. For future expansion // this test should dispatch to a specialized object to - // handle each particular type. For now just return for + // handle each particular type. For now just return for // non-client certs, and implement client certs directly here. // - String certType = req.getExtDataInString(IRequest.HTTP_PARAMS, - IRequest.CERT_TYPE); + String certType = + req.getExtDataInString(IRequest.HTTP_PARAMS, IRequest.CERT_TYPE); - if (certType == null || !certType.equals(IRequest.CLIENT_CERT) - || !req.getExtDataInBoolean(IRequest.SMIME, false)) { + if (certType == null || + !certType.equals(IRequest.CLIENT_CERT) || + !req.getExtDataInBoolean(IRequest.SMIME, false)) { break apply; } @@ -206,36 +212,30 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, IAuthToken tok = findAuthToken(req, null); - if (tok == null) - break apply; + if (tok == null) break apply; Vector emails = getEmailList(tok); - if (emails == null) - break apply; + if (emails == null) break apply; - // Create the extension + // Create the extension SubjectAlternativeNameExtension subjAltNameExt = mkExt(emails); if (extensions == null) extensions = createCertificateExtensions(certInfo); - extensions - .set(SubjectAlternativeNameExtension.NAME, subjAltNameExt); + extensions.set(SubjectAlternativeNameExtension.NAME, + subjAltNameExt); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } @@ -243,17 +243,18 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, } /** - * Find a particular authentication token by manager name. If the token is - * not present return null + * Find a particular authentication token by manager name. + * If the token is not present return null */ - protected IAuthToken findAuthToken(IRequest req, String authMgrName) { + protected IAuthToken + findAuthToken(IRequest req, String authMgrName) { return req.getExtDataInAuthToken(IRequest.AUTH_TOKEN); } /** - * Generate a String Vector containing all the email addresses found in this - * Authentication token + * Generate a String Vector containing all the email addresses + * found in this Authentication token */ protected Vector /* of String */ getEmailList(IAuthToken tok) { @@ -263,8 +264,7 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, addValues(tok, "mail", v); addValues(tok, "mailalternateaddress", v); - if (v.size() == 0) - return null; + if (v.size() == 0) return null; return v; } @@ -272,11 +272,11 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, /** * Add attribute values from an LDAP attribute to a vector */ - protected void addValues(IAuthToken tok, String attrName, Vector v) { + protected void + addValues(IAuthToken tok, String attrName, Vector v) { String attr[] = tok.getInStringArray(attrName); - if (attr == null) - return; + if (attr == null) return; for (int i = 0; i < attr.length; i++) { v.addElement(attr[i]); @@ -286,8 +286,9 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, /** * Make a Subject name extension given a list of email addresses */ - protected SubjectAlternativeNameExtension mkExt(Vector emails) - throws IOException { + protected SubjectAlternativeNameExtension + mkExt(Vector emails) + throws IOException { SubjectAlternativeNameExtension sa; GeneralNames gns = new GeneralNames(); @@ -303,17 +304,19 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, } /** - * Create a new SET of extensions in the certificate info object. - * + * Create a new SET of extensions in the certificate info + * object. + * * This should be a method in the X509CertInfo object */ - protected CertificateExtensions createCertificateExtensions( - X509CertInfo certInfo) throws IOException, CertificateException { + protected CertificateExtensions + createCertificateExtensions(X509CertInfo certInfo) + throws IOException, CertificateException { CertificateExtensions extensions; // Force version to V3 - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); @@ -323,33 +326,34 @@ public class SubjAltNameExt extends APolicyRule implements IEnrollmentPolicy, /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { Vector params = new Vector(); - // params.addElement("PROP_AGENT_OVERR = " + mAllowAgentOverride); - // params.addElement("PROP_EE_OVERR = " + mAllowEEOverride); + //params.addElement("PROP_AGENT_OVERR = " + mAllowAgentOverride); + //params.addElement("PROP_EE_OVERR = " + mAllowEEOverride); params.addElement(PROP_CRITICAL + "=" + mCritical); // params.addElement(PROP_ENABLE_MANUAL_VALUES + " = " + - // mEnableManualValues); + // mEnableManualValues); return params; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { Vector defParams = new Vector(); - // defParams.addElement("PROP_AGENT_OVERR = " + DEF_AGENT_OVERR); - // defParams.addElement("PROP_EE_OVERR = " + DEF_EE_OVERR); + //defParams.addElement("PROP_AGENT_OVERR = " + DEF_AGENT_OVERR); + //defParams.addElement("PROP_EE_OVERR = " + DEF_EE_OVERR); defParams.addElement(PROP_CRITICAL + "=false"); // defParams.addElement(PROP_ENABLE_MANUAL_VALUES + "= false"); return defParams; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java index 5340c5c2..7ff1a6c9 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectAltNameExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -44,31 +45,33 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * Subject Alternative Name extension policy. - * + * * Adds the subject alternative name extension as configured. - * - * Two forms are supported. 1) For S/MIME certificates, email addresses are - * copied from data stored in the request by the authentication component. Both - * 'e' and 'altEmail' are supported so that both the primary address and - * alternative forms may be certified. Only the primary goes in the subjectName - * position (which should be phased out). - * - * e mailAlternateAddress + * + * Two forms are supported. 1) For S/MIME certificates, email + * addresses are copied from data stored in the request by the + * authentication component. Both 'e' and 'altEmail' are supported + * so that both the primary address and alternative forms may be + * certified. Only the primary goes in the subjectName position (which + * should be phased out). + * + * e + * mailAlternateAddress * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubjectAltNameExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { - // (standard says SHOULD be marked critical if included.) +public class SubjectAltNameExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { + // (standard says SHOULD be marked critical if included.) protected static final String PROP_CRITICAL = "critical"; protected static final boolean DEF_CRITICAL = false; @@ -85,11 +88,12 @@ public class SubjectAltNameExt extends APolicyRule implements static { // default params. mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefParams.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" - + IGeneralNameUtil.DEF_NUM_GENERALNAMES); + mDefParams.addElement( + IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + + IGeneralNameUtil.DEF_NUM_GENERALNAMES); for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { CMS.getSubjAltNameConfigDefaultParams( - IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); + IGeneralNameUtil.PROP_GENERALNAME + i, mDefParams); } } @@ -103,30 +107,31 @@ public class SubjectAltNameExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt - * ra.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=SubjectAltNameExt + * ra.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; // get criticality mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); // get enabled - mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); // get general names configuration. - mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); + mNumGNs = mConfig.getInteger(IGeneralNameUtil.PROP_NUM_GENERALNAMES); if (mNumGNs <= 0) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_MUST_BE_POSITIVE_NUMBER", - IGeneralNameUtil.PROP_NUM_GENERALNAMES)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", + IGeneralNameUtil.PROP_NUM_GENERALNAMES)); } mGNs = new ISubjAltNameConfig[mNumGNs]; for (int i = 0; i < mNumGNs; i++) { @@ -138,8 +143,8 @@ public class SubjectAltNameExt extends APolicyRule implements // init instance params. mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); - mInstanceParams.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" - + mNumGNs); + mInstanceParams.addElement( + IGeneralNameUtil.PROP_NUM_GENERALNAMES + "=" + mNumGNs); for (int j = 0; j < mGNs.length; j++) { mGNs[j].getInstanceParams(mInstanceParams); } @@ -147,20 +152,21 @@ public class SubjectAltNameExt extends APolicyRule implements /** * Adds the subject alternative names extension if not set already. - * + * * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; // Find the X509CertInfo object in the request - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); return PolicyResult.REJECTED; // unrecoverable error. } @@ -179,16 +185,16 @@ public class SubjectAltNameExt extends APolicyRule implements try { // Find the extensions in the certInfo - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); // Remove any previously computed version of the extension - // unless it is from RA. If from RA, accept what RA put in + // unless it is from RA. If from RA, accept what RA put in // request and don't add our own. if (extensions != null) { String sourceId = req.getSourceId(); - if (sourceId != null && sourceId.length() > 0) + if (sourceId != null && sourceId.length() > 0) return res; // accepted try { extensions.delete(SubjectAlternativeNameExtension.NAME); @@ -203,8 +209,7 @@ public class SubjectAltNameExt extends APolicyRule implements for (int i = 0; i < mNumGNs; i++) { Object value = null; - value = req.getExtDataInString(mGNs[i].getPfx(), - mGNs[i].getAttr()); + value = req.getExtDataInString(mGNs[i].getPfx(), mGNs[i].getAttr()); if (value == null) { continue; } @@ -218,8 +223,8 @@ public class SubjectAltNameExt extends APolicyRule implements } // nothing was found in request to put into extension - if (gns.size() == 0) - return res; // accepted + if (gns.size() == 0) + return res; // accepted String subject = certInfo.get(X509CertInfo.SUBJECT).toString(); @@ -228,10 +233,10 @@ public class SubjectAltNameExt extends APolicyRule implements if (subject.equals("")) { curCritical = true; } - - // make the extension - SubjectAlternativeNameExtension sa = new SubjectAlternativeNameExtension( - curCritical, gns); + + // make the extension + SubjectAlternativeNameExtension + sa = new SubjectAlternativeNameExtension(curCritical, gns); // add it to certInfo. if (extensions == null) @@ -242,41 +247,38 @@ public class SubjectAltNameExt extends APolicyRule implements return res; // accepted. } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; // unrecoverable error. } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Internal Error"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("BASE_INTERNAL_ERROR_1", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Internal Error"); return PolicyResult.REJECTED; // unrecoverable error. } } /** - * Create a new SET of extensions in the certificate info object. - * + * Create a new SET of extensions in the certificate info + * object. + * * This should be a method in the X509CertInfo object */ - protected CertificateExtensions createCertificateExtensions( - X509CertInfo certInfo) throws IOException, CertificateException { + protected CertificateExtensions + createCertificateExtensions(X509CertInfo certInfo) + throws IOException, CertificateException { CertificateExtensions extensions; // Force version to V3 - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); @@ -286,19 +288,19 @@ public class SubjectAltNameExt extends APolicyRule implements /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefParams; } @@ -307,26 +309,26 @@ public class SubjectAltNameExt extends APolicyRule implements // extended plugin info. Vector info = new Vector(); - info.addElement(PROP_CRITICAL - + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical."); + info.addElement(PROP_CRITICAL + ";boolean;RFC2459 recommendation: If the certificate subject field contains an empty sequence, the extension MUST be marked critical."); info.addElement(IGeneralNameUtil.PROP_NUM_GENERALNAMES_INFO); for (int i = 0; i < IGeneralNameUtil.DEF_NUM_GENERALNAMES; i++) { CMS.getSubjAltNameConfigExtendedPluginInfo( - IGeneralNameUtil.PROP_GENERALNAME + i, info); + IGeneralNameUtil.PROP_GENERALNAME + i, info); } - info.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-subjaltname"); - info.addElement(IExtendedPluginInfo.HELP_TEXT - + ";This policy inserts the Subject Alternative Name " - + "Extension into the certificate. See RFC 2459 (4.2.1.7). " - + "* Note: you probably want to use this policy in " - + "conjunction with an authentication manager which sets " - + "the 'mail' or 'mailalternateaddress' values in the authToken. " - + "See the 'ldapStringAttrs' parameter in the Directory-based " - + "authentication plugin"); + info.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subjaltname"); + info.addElement(IExtendedPluginInfo.HELP_TEXT + + ";This policy inserts the Subject Alternative Name " + + "Extension into the certificate. See RFC 2459 (4.2.1.7). " + + "* Note: you probably want to use this policy in " + + "conjunction with an authentication manager which sets " + + "the 'mail' or 'mailalternateaddress' values in the authToken. " + + "See the 'ldapStringAttrs' parameter in the Directory-based " + + "authentication plugin"); mExtendedPluginInfo = new String[info.size()]; info.copyInto(mExtendedPluginInfo); return mExtendedPluginInfo; } } + diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java index 7f1df06d..f3ef687d 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectDirectoryAttributesExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.cert.CertificateException; import java.util.Enumeration; @@ -45,20 +46,20 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * Policy to add the subject directory attributes extension. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubjectDirectoryAttributesExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class SubjectDirectoryAttributesExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_ATTRIBUTE = "attribute"; protected static final String PROP_NUM_ATTRIBUTES = "numAttributes"; @@ -75,7 +76,7 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements protected SubjectDirAttributesExtension mExt = null; protected Vector mParams = new Vector(); - private String[] mEPI = null; // extended plugin info + private String[] mEPI = null; // extended plugin info protected static Vector mDefParams = new Vector(); static { @@ -85,21 +86,20 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements public SubjectDirectoryAttributesExt() { NAME = "SubjectDirectoryAttributesExtPolicy"; DESC = "Sets Subject Directory Attributes Extension in certificates."; - setExtendedPluginInfo(); + setExtendedPluginInfo(); } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { boolean enabled = config.getBoolean("enabled", false); mConfig = config; - mCritical = mConfig.getBoolean(PROP_CRITICAL, false); - mNumAttributes = mConfig.getInteger(PROP_NUM_ATTRIBUTES, - DEF_NUM_ATTRIBUTES); + mCritical = mConfig.getBoolean(PROP_CRITICAL, false); + mNumAttributes = mConfig.getInteger(PROP_NUM_ATTRIBUTES, DEF_NUM_ATTRIBUTES); if (mNumAttributes < 1) { - EBaseException ex = new EBaseException(CMS.getUserMessage( - "CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_NUM_ATTRIBUTES)); + EBaseException ex = new EBaseException( + CMS.getUserMessage("CMS_BASE_MUST_BE_POSITIVE_NUMBER", PROP_NUM_ATTRIBUTES)); log(ILogger.LL_FAILURE, NAME + " Error: " + ex.toString()); throw ex; @@ -111,15 +111,14 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements mAttributes[i] = new AttributeConfig(name, c, enabled); } - if (enabled) { + if (enabled) { try { mExt = formExt(null); } catch (IOException e) { log(ILogger.LL_FAILURE, NAME + " Error: " + e.getMessage()); - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", - "Error forming Subject Directory Attributes Extension. " - + "See log file for details.")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Error forming Subject Directory Attributes Extension. " + + "See log file for details.")); } } setInstanceParams(); @@ -127,7 +126,8 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements public PolicyResult apply(IRequest req) { PolicyResult res = PolicyResult.ACCEPTED; - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); @@ -137,7 +137,7 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements for (int i = 0; i < ci.length; i++) { PolicyResult r = applyCert(req, ci[i]); - if (r == PolicyResult.REJECTED) + if (r == PolicyResult.REJECTED) return r; } return PolicyResult.ACCEPTED; @@ -149,19 +149,18 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements try { // get extension and remove if exists. - extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); if (extensions == null) { extensions = new CertificateExtensions(); - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } else { try { extensions.delete(SubjectDirAttributesExtension.NAME); } catch (IOException ee) { - // if name is not found, try deleting the extension using - // the OID + // if name is not found, try deleting the extension using the OID try { extensions.delete("2.5.29.9"); } catch (IOException eee) { @@ -175,27 +174,22 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements } else { SubjectDirAttributesExtension ext = formExt(req); - if (ext != null) - extensions.set(SubjectDirAttributesExtension.NAME, - formExt(req)); + if (ext != null) + extensions.set(SubjectDirAttributesExtension.NAME, formExt(req)); } return PolicyResult.ACCEPTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; // unrecoverable error. } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "IOException Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_IO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "IOException Error"); return PolicyResult.REJECTED; - } + } } private Vector formValues(String val) { @@ -203,7 +197,7 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements Vector v = new Vector(); while (tokenizer.hasMoreElements()) { - String s = (String) tokenizer.nextElement(); + String s = (String) tokenizer.nextElement(); v.addElement(s); } @@ -219,12 +213,12 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements } public String[] getExtendedPluginInfo(Locale locale) { - return mEPI; // inited in the constructor. + return mEPI; // inited in the constructor. } private void setInstanceParams() { - mParams.addElement(PROP_CRITICAL + "=" + mCritical); - mParams.addElement(PROP_NUM_ATTRIBUTES + "=" + mNumAttributes); + mParams.addElement(PROP_CRITICAL + "=" + mCritical); + mParams.addElement(PROP_NUM_ATTRIBUTES + "=" + mNumAttributes); for (int i = 0; i < mNumAttributes; i++) { mAttributes[i].getInstanceParams(mParams); } @@ -235,8 +229,8 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements } private static void setDefaultParams() { - mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); - mDefParams.addElement(PROP_NUM_ATTRIBUTES + "=" + DEF_NUM_ATTRIBUTES); + mDefParams.addElement(PROP_CRITICAL + "=" + DEF_CRITICAL); + mDefParams.addElement(PROP_NUM_ATTRIBUTES + "=" + DEF_NUM_ATTRIBUTES); for (int i = 0; i < DEF_NUM_ATTRIBUTES; i++) { AttributeConfig.getDefaultParams(PROP_ATTRIBUTE + i, mDefParams); } @@ -245,32 +239,33 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements private void setExtendedPluginInfo() { Vector v = new Vector(); - v.addElement(PROP_CRITICAL + ";boolean;" - + "RFC 2459 recommendation: MUST be non-critical."); - v.addElement(PROP_NUM_ATTRIBUTES + ";number;" - + "Number of Attributes in the extension."); + v.addElement(PROP_CRITICAL + ";boolean;" + + "RFC 2459 recommendation: MUST be non-critical."); + v.addElement(PROP_NUM_ATTRIBUTES + ";number;" + + "Number of Attributes in the extension."); for (int i = 0; i < MAX_NUM_ATTRIBUTES; i++) { AttributeConfig.getExtendedPluginInfo(PROP_ATTRIBUTE + i, v); } - v.addElement(IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-subjectdirectoryattributes"); - v.addElement(IExtendedPluginInfo.HELP_TEXT - + ";Adds Subject Directory Attributes extension. See RFC 2459 (4.2.1.9). It's not recommended as an essential part of the profile, but may be used in local environments."); + v.addElement(IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subjectdirectoryattributes"); + v.addElement(IExtendedPluginInfo.HELP_TEXT + + ";Adds Subject Directory Attributes extension. See RFC 2459 (4.2.1.9). It's not recommended as an essential part of the profile, but may be used in local environments."); mEPI = com.netscape.cmsutil.util.Utils.getStringArrayFromVector(v); } - private SubjectDirAttributesExtension formExt(IRequest req) - throws IOException { + private SubjectDirAttributesExtension formExt(IRequest req) + throws IOException { Vector attrs = new Vector(); // if we're called from init and one attribute is from request attribute // the ext can't be formed yet. if (req == null) { for (int i = 0; i < mNumAttributes; i++) { - if (mAttributes[i].mWhereToGetValue == AttributeConfig.USE_REQUEST_ATTR) + if (mAttributes[i].mWhereToGetValue == + AttributeConfig.USE_REQUEST_ATTR) return null; } } @@ -282,23 +277,24 @@ public class SubjectDirectoryAttributesExt extends APolicyRule implements // skip attribute if request attribute doesn't exist. Attribute a = mAttributes[i].formAttr(req); - if (a == null) + if (a == null) continue; attrs.addElement(a); } } - if (attrs.size() == 0) + if (attrs.size() == 0) return null; Attribute[] attrList = new Attribute[attrs.size()]; attrs.copyInto(attrList); - SubjectDirAttributesExtension ext = new SubjectDirAttributesExtension( - attrList); + SubjectDirAttributesExtension ext = + new SubjectDirAttributesExtension(attrList); return ext; } } + class AttributeConfig { protected static final String PROP_ATTRIBUTE_NAME = "attributeName"; @@ -321,56 +317,50 @@ class AttributeConfig { protected Attribute mAttribute = null; protected static final String ATTRIBUTE_NAME_INFO = "Attribute name."; - protected static final String WTG_VALUE_INFO = PROP_WTG_VALUE - + ";choice(" - + USE_REQUEST_ATTR - + "," - + USE_FIXED - + ");" - + "Get value from a request attribute or use a fixed value specified below."; - protected static final String VALUE_INFO = PROP_VALUE - + ";string;" - + "Request attribute name or a fixed value to put into the extension."; - - public AttributeConfig(String name, IConfigStore config, boolean enabled) - throws EBaseException { + protected static final String WTG_VALUE_INFO = + PROP_WTG_VALUE + ";choice(" + USE_REQUEST_ATTR + "," + USE_FIXED + ");" + + "Get value from a request attribute or use a fixed value specified below."; + protected static final String VALUE_INFO = + PROP_VALUE + ";string;" + + "Request attribute name or a fixed value to put into the extension."; + + public AttributeConfig(String name, IConfigStore config, boolean enabled) + throws EBaseException { X500NameAttrMap map = X500NameAttrMap.getDefault(); mName = name; mConfig = config; if (enabled) { - mAttributeName = mConfig.getString(PROP_ATTRIBUTE_NAME); + mAttributeName = mConfig.getString(PROP_ATTRIBUTE_NAME); mWhereToGetValue = mConfig.getString(PROP_WTG_VALUE); mValue = mConfig.getString(PROP_VALUE); } else { mAttributeName = mConfig.getString(PROP_ATTRIBUTE_NAME, ""); - mWhereToGetValue = mConfig.getString(PROP_WTG_VALUE, - USE_REQUEST_ATTR); + mWhereToGetValue = mConfig.getString(PROP_WTG_VALUE, USE_REQUEST_ATTR); mValue = mConfig.getString(PROP_VALUE, ""); } if (mAttributeName.length() > 0) { mAttributeOID = map.getOid(mAttributeName); - if (mAttributeOID == null) - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTRIBUTE", mAttributeName)); + if (mAttributeOID == null) + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", mAttributeName)); } if (mWhereToGetValue.equalsIgnoreCase(USE_REQUEST_ATTR)) { mWhereToGetValue = USE_REQUEST_ATTR; if (enabled && mValue.length() == 0) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_GET_PROPERTY_FAILED", PROP_VALUE)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", PROP_VALUE)); } int dot = mValue.indexOf('.'); if (dot != -1) { mPrefix = mValue.substring(0, dot); mReqAttr = mValue.substring(dot + 1); - if (mPrefix == null || mPrefix.length() == 0 - || mReqAttr == null || mReqAttr.length() == 0) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTRIBUTE", mValue)); + if (mPrefix == null || mPrefix.length() == 0 || + mReqAttr == null || mReqAttr.length() == 0) { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", mValue)); } } else { mPrefix = null; @@ -379,20 +369,18 @@ class AttributeConfig { } else if (mWhereToGetValue.equalsIgnoreCase(USE_FIXED)) { mWhereToGetValue = USE_FIXED; if (mAttributeOID != null) { - try { - checkValue(mAttributeOID, mValue); - mAttribute = new Attribute(mAttributeOID, mValue); + try { + checkValue(mAttributeOID, mValue); + mAttribute = new Attribute(mAttributeOID, mValue); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", mAttributeName, - e.getMessage())); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + mAttributeName, e.getMessage())); } } } else if (enabled || mWhereToGetValue.length() > 0) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_VALUE_FOR_TYPE", PROP_WTG_VALUE, - "Must be either '" + USE_REQUEST_ATTR + "' or '" - + USE_FIXED + "'.")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_VALUE_FOR_TYPE", PROP_WTG_VALUE, + "Must be either '" + USE_REQUEST_ATTR + "' or '" + USE_FIXED + "'.")); } } @@ -408,8 +396,8 @@ class AttributeConfig { String nameDot = name + "."; String attrChoices = getAllNames(); - v.addElement(nameDot + PROP_ATTRIBUTE_NAME + ";choice(" + attrChoices - + ");" + ATTRIBUTE_NAME_INFO); + v.addElement(nameDot + PROP_ATTRIBUTE_NAME + ";choice(" + attrChoices + ");" + + ATTRIBUTE_NAME_INFO); v.addElement(nameDot + WTG_VALUE_INFO); v.addElement(nameDot + VALUE_INFO); } @@ -422,13 +410,14 @@ class AttributeConfig { v.addElement(nameDot + PROP_VALUE + "=" + mValue); } - public Attribute formAttr(IRequest req) throws IOException { + public Attribute formAttr(IRequest req) + throws IOException { String val = req.getExtDataInString(mPrefix, mReqAttr); if (val == null || val.length() == 0) { return null; } - checkValue(mAttributeOID, val); + checkValue(mAttributeOID, val); return new Attribute(mAttributeOID, val); } @@ -444,10 +433,9 @@ class AttributeConfig { return sb.toString(); } - private static void checkValue(ObjectIdentifier oid, String val) - throws IOException { - AVAValueConverter c = X500NameAttrMap.getDefault().getValueConverter( - oid); + private static void checkValue(ObjectIdentifier oid, String val) + throws IOException { + AVAValueConverter c = X500NameAttrMap.getDefault().getValueConverter(oid); DerValue derval; derval = c.getValue(val); // errs encountered will get thrown. diff --git a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java index 31aaa21a..0c763b8a 100644 --- a/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java +++ b/pki/base/common/src/com/netscape/cms/policy/extensions/SubjectKeyIdentifierExt.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.extensions; + import java.io.IOException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -45,21 +46,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** - * Subject Public Key Extension Policy Adds the subject public key id extension - * to certificates. + * Subject Public Key Extension Policy + * Adds the subject public key id extension to certificates. * <P> - * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class SubjectKeyIdentifierExt extends APolicyRule implements - IEnrollmentPolicy, IExtendedPluginInfo { +public class SubjectKeyIdentifierExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { protected static final String PROP_CRITICAL = "critical"; protected static final String PROP_KEYID_TYPE = "keyIdentifierType"; protected static final String PROP_REQATTR_NAME = "requestAttrName"; @@ -89,7 +90,7 @@ public class SubjectKeyIdentifierExt extends APolicyRule implements mDefaultParams.addElement(PROP_KEYID_TYPE + "=" + DEF_KEYID_TYPE); /* - * mDefaultParams.addElement(PROP_REQATTR_NAME+"="+DEF_REQATTR_NAME); + mDefaultParams.addElement(PROP_REQATTR_NAME+"="+DEF_REQATTR_NAME); */ } @@ -101,74 +102,76 @@ public class SubjectKeyIdentifierExt extends APolicyRule implements /** * Initializes this policy rule. * <P> - * + * * The entries may be of the form: - * - * ca.Policy.rule.<ruleName>.predicate= ca.Policy.rule.<ruleName>.implName= - * ca.Policy.rule.<ruleName>.enable=true - * - * @param config The config store reference + * + * ca.Policy.rule.<ruleName>.predicate= + * ca.Policy.rule.<ruleName>.implName= + * ca.Policy.rule.<ruleName>.enable=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mConfig = config; - mEnabled = mConfig.getBoolean(IPolicyProcessor.PROP_ENABLE, false); + mEnabled = mConfig.getBoolean( + IPolicyProcessor.PROP_ENABLE, false); mCritical = mConfig.getBoolean(PROP_CRITICAL, DEF_CRITICAL); mKeyIdType = mConfig.getString(PROP_KEYID_TYPE, DEF_KEYID_TYPE); /* - * mReqAttrName = mConfig.getString(PROP_REQATTR_NAME, - * DEF_REQATTR_NAME); + mReqAttrName = mConfig.getString(PROP_REQATTR_NAME, DEF_REQATTR_NAME); */ // parse key id type - if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SHA1)) + if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SHA1)) mKeyIdType = KEYID_TYPE_SHA1; - else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_TYPEFIELD)) + else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_TYPEFIELD)) mKeyIdType = KEYID_TYPE_TYPEFIELD; - /* - * else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_REQATTR) mKeyIdType = - * KEYID_TYPE_REQATTR; - */ - else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SPKISHA1)) + /* + else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_REQATTR) + mKeyIdType = KEYID_TYPE_REQATTR; + */ + else if (mKeyIdType.equalsIgnoreCase(KEYID_TYPE_SPKISHA1)) mKeyIdType = KEYID_TYPE_SPKISHA1; else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("KRA_UNKNOWN_KEY_ID_TYPE", mKeyIdType)); - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - PROP_KEYID_TYPE, "value must be one of " - + KEYID_TYPE_SHA1 + ", " - + KEYID_TYPE_TYPEFIELD + ", " - + KEYID_TYPE_SPKISHA1)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("KRA_UNKNOWN_KEY_ID_TYPE", mKeyIdType)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + PROP_KEYID_TYPE, + "value must be one of " + + KEYID_TYPE_SHA1 + ", " + + KEYID_TYPE_TYPEFIELD + ", " + + KEYID_TYPE_SPKISHA1)); } - // form instance params + // form instance params mInstanceParams.addElement(PROP_CRITICAL + "=" + mCritical); mInstanceParams.addElement(PROP_KEYID_TYPE + "=" + mKeyIdType); /* - * mInstanceParams.addElement(PROP_REQATTR_NAME+"="+mReqAttrName); + mInstanceParams.addElement(PROP_REQATTR_NAME+"="+mReqAttrName); */ } /** - * Adds Subject Key identifier Extension to a certificate. If the extension - * is already there, accept it. - * - * @param req The request on which to apply policy. + * Adds Subject Key identifier Extension to a certificate. + * If the extension is already there, accept it. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { // get certInfo from request. - X509CertInfo[] ci = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); - + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + if (ci == null || ci[0] == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); - return PolicyResult.REJECTED; + return PolicyResult.REJECTED; } for (int i = 0; i < ci.length; i++) { @@ -185,28 +188,28 @@ public class SubjectKeyIdentifierExt extends APolicyRule implements try { // if subject key id extension already exists, leave it if approved. SubjectKeyIdentifierExtension subjectKeyIdExt = null; - CertificateExtensions extensions = (CertificateExtensions) certInfo - .get(X509CertInfo.EXTENSIONS); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); try { if (extensions != null) { - subjectKeyIdExt = (SubjectKeyIdentifierExtension) extensions - .get(SubjectKeyIdentifierExtension.NAME); + subjectKeyIdExt = (SubjectKeyIdentifierExtension) + extensions.get(SubjectKeyIdentifierExtension.NAME); } } catch (IOException e) { - // extension isn't there. + // extension isn't there. } if (subjectKeyIdExt != null) { if (agentApproved(req)) { - CMS.debug("SubjectKeyIdentifierExt: agent approved request id " - + req.getRequestId() - + " already has subject key id extension with value " - + subjectKeyIdExt); + CMS.debug( + "SubjectKeyIdentifierExt: agent approved request id " + req.getRequestId() + + " already has subject key id extension with value " + + subjectKeyIdExt); return PolicyResult.ACCEPTED; } else { - CMS.debug("SubjectKeyIdentifierExt: request id from user " - + req.getRequestId() - + " had subject key identifier - deleted to be replaced"); + CMS.debug( + "SubjectKeyIdentifierExt: request id from user " + req.getRequestId() + + " had subject key identifier - deleted to be replaced"); extensions.delete(SubjectKeyIdentifierExtension.NAME); } } @@ -214,40 +217,38 @@ public class SubjectKeyIdentifierExt extends APolicyRule implements // create subject key id extension. KeyIdentifier keyId = null; - try { - keyId = formKeyIdentifier(certInfo, req); + try { + keyId = formKeyIdentifier(certInfo, req); } catch (EBaseException e) { setPolicyException(req, e); return PolicyResult.REJECTED; } - subjectKeyIdExt = new SubjectKeyIdentifierExtension(mCritical, - keyId.getIdentifier()); + subjectKeyIdExt = + new SubjectKeyIdentifierExtension( + mCritical, keyId.getIdentifier()); // add subject key id extension. if (extensions == null) { - certInfo.set(X509CertInfo.VERSION, new CertificateVersion( - CertificateVersion.V3)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); extensions = new CertificateExtensions(); certInfo.set(X509CertInfo.EXTENSIONS, extensions); } - extensions.set(SubjectKeyIdentifierExtension.NAME, subjectKeyIdExt); - CMS.debug("SubjectKeyIdentifierExt: added subject key id ext to request " - + req.getRequestId()); + extensions.set( + SubjectKeyIdentifierExtension.NAME, subjectKeyIdExt); + CMS.debug( + "SubjectKeyIdentifierExt: added subject key id ext to request " + req.getRequestId()); return PolicyResult.ACCEPTED; } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR,NAME", - e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, e.getMessage()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_UNEXPECTED_POLICY_ERROR,NAME", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, e.getMessage()); return PolicyResult.REJECTED; } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); - setError(req, - CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), - NAME, "Certificate Info Error"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CA_CERT_INFO_ERROR", e.getMessage())); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR"), + NAME, "Certificate Info Error"); return PolicyResult.REJECTED; } } @@ -255,13 +256,12 @@ public class SubjectKeyIdentifierExt extends APolicyRule implements /** * Form the Key Identifier in the Subject Key Identifier extension. * <p> - * * @param certInfo Certificate Info * @param req request * @return A Key Identifier. */ - protected KeyIdentifier formKeyIdentifier(X509CertInfo certInfo, - IRequest req) throws EBaseException { + protected KeyIdentifier formKeyIdentifier( + X509CertInfo certInfo, IRequest req) throws EBaseException { KeyIdentifier keyId = null; if (mKeyIdType == KEYID_TYPE_SHA1) { @@ -269,62 +269,55 @@ public class SubjectKeyIdentifierExt extends APolicyRule implements } else if (mKeyIdType == KEYID_TYPE_TYPEFIELD) { keyId = formTypeFieldKeyId(certInfo); } /* - * else if (mKeyIdType == KEYID_TYPE_REQATTR) { keyId = - * formReqAttrKeyId(certInfo, req); } - */else if (mKeyIdType == KEYID_TYPE_SPKISHA1) { + else if (mKeyIdType == KEYID_TYPE_REQATTR) { + keyId = formReqAttrKeyId(certInfo, req); + } + */ else if (mKeyIdType == KEYID_TYPE_SPKISHA1) { keyId = formSpkiSHA1KeyId(certInfo); } else { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", mKeyIdType, - "Unknown Key Identifier type.")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + mKeyIdType, "Unknown Key Identifier type.")); } return keyId; } /** - * Form key identifier from a type field value of 0100 followed by the least - * significate 60 bits of the sha-1 hash of the subject public key BIT - * STRING in accordance with RFC 2459. + * Form key identifier from a type field value of 0100 followed by + * the least significate 60 bits of the sha-1 hash of the subject + * public key BIT STRING in accordance with RFC 2459. * <p> - * * @param certInfo - certificate info * @return A Key Identifier with value formulatd as described. */ protected KeyIdentifier formTypeFieldKeyId(X509CertInfo certInfo) - throws EBaseException { + throws EBaseException { KeyIdentifier keyId = null; X509Key key = null; try { - CertificateX509Key certKey = (CertificateX509Key) certInfo - .get(X509CertInfo.KEY); + CertificateX509Key certKey = + (CertificateX509Key) certInfo.get(X509CertInfo.KEY); if (certKey == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME)); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_MISSING_KEY", NAME)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME)); + throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME)); } key = (X509Key) certKey.get(CertificateX509Key.KEY); if (key == null) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME)); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_MISSING_KEY", NAME)); + log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_MISSING_KEY_1", NAME)); + throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_MISSING_KEY", NAME)); } } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", - e.toString())); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString())); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); } catch (CertificateException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", - e.toString())); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_GET_KEY_FROM_CERT", e.toString())); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); } try { byte[] octetString = new byte[8]; @@ -337,47 +330,50 @@ public class SubjectKeyIdentifierExt extends APolicyRule implements octetString[0] &= (0x08f & octetString[0]); keyId = new KeyIdentifier(octetString); } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME)); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_SUBJECT_KEY_ID_1", NAME)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR", NAME)); } return keyId; } /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getInstanceParams() { + public Vector getInstanceParams() { return mInstanceParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ - public Vector getDefaultParams() { + public Vector getDefaultParams() { return mDefaultParams; } /** - * Gets extended plugin info for pretty Console displays. + * Gets extended plugin info for pretty Console displays. */ public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_CRITICAL - + ";boolean;RFC 2459 recommendation: MUST NOT be marked critical.", - PROP_KEYID_TYPE + ";" + "choice(" + KEYID_TYPE_SHA1 + "," - + KEYID_TYPE_TYPEFIELD + "," + KEYID_TYPE_SPKISHA1 - + ");" + "Method to derive the Key Identifier.", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-subjectkeyidentifier", - IExtendedPluginInfo.HELP_TEXT - + ";Adds the Subject Key Identifier extension. See RFC 2459 (4.2.1.2)" }; + PROP_CRITICAL + ";boolean;RFC 2459 recommendation: MUST NOT be marked critical.", + PROP_KEYID_TYPE + ";" + + "choice(" + KEYID_TYPE_SHA1 + "," + + KEYID_TYPE_TYPEFIELD + "," + + KEYID_TYPE_SPKISHA1 + ");" + + "Method to derive the Key Identifier.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-subjectkeyidentifier", + IExtendedPluginInfo.HELP_TEXT + + ";Adds the Subject Key Identifier extension. See RFC 2459 (4.2.1.2)" + }; return params; } } + |