diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java | 143 |
1 files changed, 65 insertions, 78 deletions
diff --git a/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java b/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java index 0dedf8f4..902763b4 100644 --- a/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java +++ b/pki/base/common/src/com/netscape/cms/publish/publishers/LdapEncryptCertPublisher.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.publish.publishers; + import java.io.IOException; import java.math.BigInteger; import java.security.cert.CertificateEncodingException; @@ -50,13 +51,13 @@ import com.netscape.certsrv.ldap.ELdapServerDownException; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.publish.ILdapPublisher; -/** - * Interface for mapping a X509 certificate to a LDAP entry - * + +/** + * Interface for mapping a X509 certificate to a LDAP entry + * * @version $Revision$, $Date$ */ -public class LdapEncryptCertPublisher implements ILdapPublisher, - IExtendedPluginInfo { +public class LdapEncryptCertPublisher implements ILdapPublisher, IExtendedPluginInfo { public static final String LDAP_USERCERT_ATTR = "userCertificate;binary"; public static final String PROP_REVOKE_CERT = "revokeCert"; @@ -80,10 +81,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, public String[] getExtendedPluginInfo(Locale locale) { String[] params = { "certAttr;string;LDAP attribute in which to store the certificate", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-ldappublish-publisher-usercertpublisher", - IExtendedPluginInfo.HELP_TEXT - + ";This plugin knows how to publish user certificates" }; + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-ldappublish-publisher-usercertpublisher", + IExtendedPluginInfo.HELP_TEXT + + ";This plugin knows how to publish user certificates" + }; return params; @@ -107,7 +109,8 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, return mConfig; } - public void init(IConfigStore config) throws EBaseException { + public void init(IConfigStore config) + throws EBaseException { if (mInited) return; mConfig = config; @@ -121,16 +124,16 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, } /** - * publish a user certificate Adds the cert to the multi-valued certificate - * attribute as a DER encoded binary blob. Does not check if cert already - * exists. + * publish a user certificate + * Adds the cert to the multi-valued certificate attribute as a + * DER encoded binary blob. Does not check if cert already exists. * * @param conn the LDAP connection * @param dn dn of the entry to publish the certificate - * @param certObj the certificate object. + * @param certObj the certificate object. */ public void publish(LDAPConnection conn, String dn, Object certObj) - throws ELdapException { + throws ELdapException { if (conn == null) return; @@ -144,52 +147,45 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, byte[] certEnc = cert.getEncoded(); // check if cert already exists. - LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE, + LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)", new String[] { mCertAttr }, false); LDAPEntry entry = res.next(); - LDAPAttribute attr = getModificationAttribute( - entry.getAttribute(mCertAttr), certEnc); + LDAPAttribute attr = getModificationAttribute(entry.getAttribute(mCertAttr), certEnc); if (attr == null) { log(ILogger.LL_INFO, "publish: " + dn + " already has cert."); return; } - // publish - LDAPModification mod = new LDAPModification( - LDAPModification.REPLACE, attr); + // publish + LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr); - conn.modify(dn, mod); + conn.modify(dn, mod); } catch (CertificateEncodingException e) { - CMS.debug("LdapEncryptCertPublisher: error in publish: " - + e.toString()); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString())); + CMS.debug("LdapEncryptCertPublisher: error in publish: " + e.toString()); + throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString())); } catch (LDAPException e) { if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) { // need to intercept this because message from LDAP is // "DSA is unavailable" which confuses with DSA PKI. log(ILogger.LL_FAILURE, - CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER")); - throw new ELdapServerDownException(CMS.getUserMessage( - "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" - + conn.getPort())); + CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER")); + throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); } else { - log(ILogger.LL_FAILURE, CMS.getLogMessage( - "PUBLISH_PUBLISH_ERROR", e.toString())); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_PUBLISH_ERROR", e.toString())); + throw new ELdapException(CMS.getUserMessage("CMS_LDAP_PUBLISH_USERCERT_ERROR", e.toString())); } } return; } /** - * unpublish a user certificate deletes the certificate from the list of - * certificates. does not check if certificate is already there. + * unpublish a user certificate + * deletes the certificate from the list of certificates. + * does not check if certificate is already there. */ public void unpublish(LDAPConnection conn, String dn, Object certObj) - throws ELdapException { + throws ELdapException { if (!(certObj instanceof X509Certificate)) throw new IllegalArgumentException("Illegal arg to publish"); @@ -199,7 +195,7 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, byte[] certEnc = cert.getEncoded(); // check if cert already deleted. - LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE, + LDAPSearchResults res = conn.search(dn, LDAPv2.SCOPE_BASE, "(objectclass=*)", new String[] { mCertAttr }, false); LDAPEntry entry = res.next(); @@ -208,31 +204,23 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, return; } - LDAPModification mod = new LDAPModification( - LDAPModification.DELETE, new LDAPAttribute(mCertAttr, - certEnc)); + LDAPModification mod = new LDAPModification(LDAPModification.DELETE, + new LDAPAttribute(mCertAttr, certEnc)); - conn.modify(dn, mod); + conn.modify(dn, mod); } catch (CertificateEncodingException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString())); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString())); + throw new ELdapException(CMS.getUserMessage("CMS_LDAP_GET_DER_ENCODED_CERT_FAILED", e.toString())); } catch (LDAPException e) { if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE) { // need to intercept this because message from LDAP is // "DSA is unavailable" which confuses with DSA PKI. log(ILogger.LL_FAILURE, - CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER")); - throw new ELdapServerDownException(CMS.getUserMessage( - "CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" - + conn.getPort())); + CMS.getLogMessage("PUBLISH_NO_LDAP_SERVER")); + throw new ELdapServerDownException(CMS.getUserMessage("CMS_LDAP_SERVER_UNAVAILABLE", conn.getHost(), "" + conn.getPort())); } else { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", - e.toString())); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_UNPUBLISH_ERROR", e.toString())); + throw new ELdapException(CMS.getUserMessage("CMS_LDAP_UNPUBLISH_USERCERT_ERROR", e.toString())); } } return; @@ -240,11 +228,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, private void log(int level, String msg) { mLogger.log(ILogger.EV_SYSTEM, ILogger.S_LDAP, level, - "LdapUserCertPublisher: " + msg); + "LdapUserCertPublisher: " + msg); } - public LDAPAttribute getModificationAttribute(LDAPAttribute attr, - byte[] bval) { + public LDAPAttribute getModificationAttribute( + LDAPAttribute attr, byte[] bval) { LDAPAttribute at = new LDAPAttribute(attr.getName(), bval); // determine if the given cert is a signing or an encryption @@ -268,13 +256,13 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, X509CertImpl cert = new X509CertImpl(val); log(ILogger.LL_INFO, "Checking " + cert); - if (CMS.isEncryptionCert(thisCert) - && CMS.isEncryptionCert(cert)) { + if (CMS.isEncryptionCert(thisCert) && + CMS.isEncryptionCert(cert)) { // skip log(ILogger.LL_INFO, "SKIP ENCRYPTION " + cert); revokeCert(cert); - } else if (CMS.isSigningCert(thisCert) - && CMS.isSigningCert(cert)) { + } else if (CMS.isSigningCert(thisCert) && + CMS.isSigningCert(cert)) { // skip log(ILogger.LL_INFO, "SKIP SIGNING " + cert); revokeCert(cert); @@ -282,35 +270,33 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, at.addValue(val); } } catch (Exception e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("PUBLISH_CHECK_FAILED", e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_CHECK_FAILED", e.toString())); } } return at; } - private RevokedCertImpl formCRLEntry(BigInteger serialNo, - RevocationReason reason) throws EBaseException { + private RevokedCertImpl formCRLEntry( + BigInteger serialNo, RevocationReason reason) + throws EBaseException { CRLReasonExtension reasonExt = new CRLReasonExtension(reason); CRLExtensions crlentryexts = new CRLExtensions(); try { crlentryexts.set(CRLReasonExtension.NAME, reasonExt); } catch (IOException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("PUBLISH_SET_CRL_REASON", - reason.toString(), e.toString())); + log(ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_SET_CRL_REASON", reason.toString(), e.toString())); - throw new ELdapException(CMS.getUserMessage( - "CMS_LDAP_INTERNAL_ERROR", e.toString())); + throw new ELdapException(CMS.getUserMessage("CMS_LDAP_INTERNAL_ERROR", e.toString())); } - RevokedCertImpl crlentry = new RevokedCertImpl(serialNo, new Date(), - crlentryexts); + RevokedCertImpl crlentry = + new RevokedCertImpl(serialNo, new Date(), crlentryexts); return crlentry; } - private void revokeCert(X509CertImpl cert) throws EBaseException { + private void revokeCert(X509CertImpl cert) + throws EBaseException { try { if (mConfig.getBoolean(PROP_REVOKE_CERT, true) == false) { return; @@ -320,11 +306,11 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, } BigInteger serialNum = cert.getSerialNumber(); // need to revoke certificate also - ICertificateAuthority ca = (ICertificateAuthority) CMS - .getSubsystem("ca"); + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem("ca"); ICAService service = (ICAService) ca.getCAService(); - RevokedCertImpl crlEntry = formCRLEntry(serialNum, - RevocationReason.KEY_COMPROMISE); + RevokedCertImpl crlEntry = formCRLEntry( + serialNum, RevocationReason.KEY_COMPROMISE); service.revokeCert(crlEntry); } @@ -368,3 +354,4 @@ public class LdapEncryptCertPublisher implements ILdapPublisher, } } + |