summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java143
1 files changed, 65 insertions, 78 deletions
diff --git a/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java b/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
index 0dedf8f4..902763b4 100644
--- a/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
+++ b/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java
@@ -17,6 +17,7 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.publish.publishers;
+
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.CertificateEncodingException;
@@ -50,13 +51,13 @@ import com.netscape.certsrv.ldap.ELdapServerDownException;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.publish.ILdapPublisher;
-/**
- * Interface for mapping a X509 certificate to a LDAP entry
- *
+
+/**
+ * Interface for mapping a X509 certificate to a LDAP entry
+ *
* @version $Revision$, $Date$
*/
-public class LdapEncryptCertPublisher implements ILdapPublisher,
- IExtendedPluginInfo {
+public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPluginInfo {
public static final String LDAP_USERCERT_ATTR = "userCertificate;binary";
public static final String PROP_REVOKE_CERT = "revokeCert";
@@ -80,10 +81,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
public String[] getExtendedPluginInfo(Locale locale) {
String[] params = {
"certAttr;string;LDAP attribute in which to store the certificate",
- IExtendedPluginInfo.HELP_TOKEN
- + ";configuration-ldappublish-publisher-usercertpublisher",
- IExtendedPluginInfo.HELP_TEXT
- + ";This plugin knows how to publish user certificates" };
+ IExtendedPluginInfo.HELP_TOKEN +
+ ";configuration-ldappublish-publisher-usercertpublisher",
+ IExtendedPluginInfo.HELP_TEXT +
+ ";This plugin knows how to publish user certificates"
+ };
return params;
@@ -107,7 +109,8 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
return mConfig;
}
- public void init(IConfigStore config) throws EBaseException {
+ public void init(IConfigStore config)
+ throws EBaseException {
if (mInited)
return;
mConfig = config;
@@ -121,16 +124,16 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
}
/**
- * publish a user certificate Adds the cert to the multi-valued certificate
- * attribute as a DER encoded binary blob. Does not check if cert already
- * exists.
+ * publish a user certificate
+ * Adds the cert to the multi-valued certificate attribute as a
+ * DER encoded binary blob. Does not check if cert already exists.
*
* @param conn the LDAP connection
* @param dn dn of the entry to publish the certificate
- * @param certObj the certificate object.
+ * @param certObj the certificate object.
*/
public void publish(LDAPConnection conn, String dn, Object certObj)
- throws ELdapException {
+ throws ELdapException {
if (conn == null)
return;
@@ -144,52 +147,45 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
byte[] certEnc = cert.getEncoded();
// check if cert already exists.
- LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
+ LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
"(objectclass=*)", new String[] { mCertAttr }, false);
LDAPEntry entry = res.next();
- LDAPAttribute attr = getModificationAttribute(
- entry.getAttribute(mCertAttr), certEnc);
+ LDAPAttribute attr = getModificationAttribute(entry.getAttribute(mCertAttr), certEnc);
if (attr == null) {
log(ILogger.LL_INFO, "publish: " + dn + " already has cert.");
return;
}
- // publish
- LDAPModification mod = new LDAPModification(
- LDAPModification.REPLACE, attr);
+ // publish
+ LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr);
- conn.modify(dn, mod);
+ conn.modify(dn, mod);
} catch (CertificateEncodingException e) {
- CMS.debug("LdapEncryptCertPublisher: error in publish: "
- + e.toString());
- throw new ELdapException(CMS.getUserMessage(
- "CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+ CMS.debug("LdapEncryptCertPublisher: error in publish: " + e.toString());
+ throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
} catch (LDAPException e) {
if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
// need to intercept this because message from LDAP is
// "DSA is unavailable" which confuses with DSA PKI.
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
- throw new ELdapServerDownException(CMS.getUserMessage(
- "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
- + conn.getPort()));
+ CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+ throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
} else {
- log(ILogger.LL_FAILURE, CMS.getLogMessage(
- "PUBLISH_PUBLISH_ERROR", e.toString()));
- throw new ELdapException(CMS.getUserMessage(
- "CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString()));
+ throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString()));
}
}
return;
}
/**
- * unpublish a user certificate deletes the certificate from the list of
- * certificates. does not check if certificate is already there.
+ * unpublish a user certificate
+ * deletes the certificate from the list of certificates.
+ * does not check if certificate is already there.
*/
public void unpublish(LDAPConnection conn, String dn, Object certObj)
- throws ELdapException {
+ throws ELdapException {
if (!(certObj instanceof X509Certificate))
throw new IllegalArgumentException("Illegal arg to publish");
@@ -199,7 +195,7 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
byte[] certEnc = cert.getEncoded();
// check if cert already deleted.
- LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
+ LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE,
"(objectclass=*)", new String[] { mCertAttr }, false);
LDAPEntry entry = res.next();
@@ -208,31 +204,23 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
return;
}
- LDAPModification mod = new LDAPModification(
- LDAPModification.DELETE, new LDAPAttribute(mCertAttr,
- certEnc));
+ LDAPModification mod = new LDAPModification(LDAPModification.DELETE,
+ new LDAPAttribute(mCertAttr, certEnc));
- conn.modify(dn, mod);
+ conn.modify(dn, mod);
} catch (CertificateEncodingException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
- throw new ELdapException(CMS.getUserMessage(
- "CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+ throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString()));
} catch (LDAPException e) {
if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) {
// need to intercept this because message from LDAP is
// "DSA is unavailable" which confuses with DSA PKI.
log(ILogger.LL_FAILURE,
- CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
- throw new ELdapServerDownException(CMS.getUserMessage(
- "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), ""
- + conn.getPort()));
+ CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER"));
+ throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort()));
} else {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR",
- e.toString()));
- throw new ELdapException(CMS.getUserMessage(
- "CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString()));
+ throw new ELdapException(CMS.getUserMessage("CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString()));
}
}
return;
@@ -240,11 +228,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
private void log(int level, String msg) {
mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level,
- "LdapUserCertPublisher: " + msg);
+ "LdapUserCertPublisher: " + msg);
}
- public LDAPAttribute getModificationAttribute(LDAPAttribute attr,
- byte[] bval) {
+ public LDAPAttribute getModificationAttribute(
+ LDAPAttribute attr, byte[] bval) {
LDAPAttribute at = new LDAPAttribute(attr.getName(), bval);
// determine if the given cert is a signing or an encryption
@@ -268,13 +256,13 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
X509CertImpl cert = new X509CertImpl(val);
log(ILogger.LL_INFO, "Checking " + cert);
- if (CMS.isEncryptionCert(thisCert)
- && CMS.isEncryptionCert(cert)) {
+ if (CMS.isEncryptionCert(thisCert) &&
+ CMS.isEncryptionCert(cert)) {
// skip
log(ILogger.LL_INFO, "SKIP ENCRYPTION " + cert);
revokeCert(cert);
- } else if (CMS.isSigningCert(thisCert)
- && CMS.isSigningCert(cert)) {
+ } else if (CMS.isSigningCert(thisCert) &&
+ CMS.isSigningCert(cert)) {
// skip
log(ILogger.LL_INFO, "SKIP SIGNING " + cert);
revokeCert(cert);
@@ -282,35 +270,33 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
at.addValue(val);
}
} catch (Exception e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("PUBLISH_CHECK_FAILED", e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CHECK_FAILED", e.toString()));
}
}
return at;
}
- private RevokedCertImpl formCRLEntry(BigInteger serialNo,
- RevocationReason reason) throws EBaseException {
+ private RevokedCertImpl formCRLEntry(
+ BigInteger serialNo, RevocationReason reason)
+ throws EBaseException {
CRLReasonExtension reasonExt = new CRLReasonExtension(reason);
CRLExtensions crlentryexts = new CRLExtensions();
try {
crlentryexts.set(CRLReasonExtension.NAME, reasonExt);
} catch (IOException e) {
- log(ILogger.LL_FAILURE,
- CMS.getLogMessage("PUBLISH_SET_CRL_REASON",
- reason.toString(), e.toString()));
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_SET_CRL_REASON", reason.toString(), e.toString()));
- throw new ELdapException(CMS.getUserMessage(
- "CMS_LDAP_INTERNAL_ERROR", e.toString()));
+ throw new ELdapException(CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString()));
}
- RevokedCertImpl crlentry = new RevokedCertImpl(serialNo, new Date(),
- crlentryexts);
+ RevokedCertImpl crlentry =
+ new RevokedCertImpl(serialNo, new Date(), crlentryexts);
return crlentry;
}
- private void revokeCert(X509CertImpl cert) throws EBaseException {
+ private void revokeCert(X509CertImpl cert)
+ throws EBaseException {
try {
if (mConfig.getBoolean(PROP_REVOKE_CERT, true) == false) {
return;
@@ -320,11 +306,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
}
BigInteger serialNum = cert.getSerialNumber();
// need to revoke certificate also
- ICertificateAuthority ca = (ICertificateAuthority) CMS
- .getSubsystem("ca");
+ ICertificateAuthority ca = (ICertificateAuthority)
+ CMS.getSubsystem("ca");
ICAService service = (ICAService) ca.getCAService();
- RevokedCertImpl crlEntry = formCRLEntry(serialNum,
- RevocationReason.KEY_COMPROMISE);
+ RevokedCertImpl crlEntry = formCRLEntry(
+ serialNum, RevocationReason.KEY_COMPROMISE);
service.revokeCert(crlEntry);
}
@@ -368,3 +354,4 @@ public class LdapEncryptCertPublisher implements ILdapPublisher,
}
}
+
generated by cgit (git 2.34.1) at 2024-05-19 09:53:00 +0000