diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java | 183 |
1 files changed, 94 insertions, 89 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java b/pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java index 663585bf..58d6aba6 100644 --- a/pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java +++ b/pki/base/common/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.cert; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -47,23 +46,21 @@ import com.netscape.certsrv.publish.IPublisherProcessor; import com.netscape.certsrv.publish.IXcertPublisherProcessor; import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; - /** - * Subsystem for handling cross certificate pairing and publishing - * Intended use: + * Subsystem for handling cross certificate pairing and publishing Intended use: * <ul> - * <li> when signing a subordinate CA cert which is intended to be - * part of the crossCertificatePair - * <li> when this ca submits a request (with existing CA signing key - * material to another ca for cross-signing - *</ul> - * In both cases, administrator needs to "import" the crossSigned - * certificates via the admin console. When importCert() is called, - * the imported cert will be stored in the internal db - * first until it's pairing cert shows up. - * If it happens that the above two cases finds its pairing - * cert already there, then a CertifiatePair is created and put - * in the internal db "crosscertificatepair;binary" attribute + * <li>when signing a subordinate CA cert which is intended to be part of the + * crossCertificatePair + * <li>when this ca submits a request (with existing CA signing key material to + * another ca for cross-signing + * </ul> + * In both cases, administrator needs to "import" the crossSigned certificates + * via the admin console. When importCert() is called, the imported cert will be + * stored in the internal db first until it's pairing cert shows up. If it + * happens that the above two cases finds its pairing cert already there, then a + * CertifiatePair is created and put in the internal db + * "crosscertificatepair;binary" attribute + * * @author cfu * @version $Revision$, $Date$ */ @@ -100,7 +97,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { try { mConfig = config; mLogger = CMS.getLogger(); @@ -112,21 +109,19 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { if (ldapConfig == null) { log(ILogger.LL_MISCONF, - CMS.getLogMessage("CMSCORE_DBS_CONF_ERROR", - PROP_LDAP)); + CMS.getLogMessage("CMSCORE_DBS_CONF_ERROR", PROP_LDAP)); return; } mBaseDN = ldapConfig.getString(PROP_BASEDN, null); - + mLdapConnFactory = new LdapBoundConnFactory(); if (mLdapConnFactory != null) mLdapConnFactory.init(ldapConfig); else { log(ILogger.LL_MISCONF, - CMS.getLogMessage("CMSCORE_DBS_CONF_ERROR", - PROP_LDAP)); + CMS.getLogMessage("CMSCORE_DBS_CONF_ERROR", PROP_LDAP)); return; } } catch (EBaseException e) { @@ -137,14 +132,12 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } /** - * "import" the CA cert cross-signed by another CA (potentially a - * bridge CA) into internal ldap db. - * the imported cert will be stored in the internal db - * first until it's pairing cert shows up. - * If it happens that it finds its pairing - * cert already there, then a CertifiatePair is created and put + * "import" the CA cert cross-signed by another CA (potentially a bridge CA) + * into internal ldap db. the imported cert will be stored in the internal + * db first until it's pairing cert shows up. If it happens that it finds + * its pairing cert already there, then a CertifiatePair is created and put * in the internal db "crosscertificatepair;binary" attribute - * + * * @param certBytes cert in byte array to be imported */ public void importCert(byte[] certBytes) throws EBaseException { @@ -154,7 +147,9 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { try { cert = byteArray2X509Cert(certBytes); } catch (CertificateException e) { - throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); + throw new EBaseException( + "CrossCertPairSubsystem: importCert() failed:" + + e.toString()); } @@ -162,14 +157,12 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } /** - * "import" the CA cert cross-signed by another CA (potentially a - * bridge CA) into internal ldap db. - * the imported cert will be stored in the internal db - * first until it's pairing cert shows up. - * If it happens that it finds its pairing - * cert already there, then a CertifiatePair is created and put + * "import" the CA cert cross-signed by another CA (potentially a bridge CA) + * into internal ldap db. the imported cert will be stored in the internal + * db first until it's pairing cert shows up. If it happens that it finds + * its pairing cert already there, then a CertifiatePair is created and put * in the internal db "crosscertificatepair;binary" attribute - * + * * @param certBytes cert in byte array to be imported */ public synchronized void importCert(Object certObj) throws EBaseException { @@ -182,8 +175,8 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { // 1. does cert2 share the same key pair as this CA's signing // cert // 2. does cert2's subject match this CA's subject? - // 3. other valididity checks: is this a ca cert? Is this - // cert still valid? If the issuer is not yet trusted, let it + // 3. other valididity checks: is this a ca cert? Is this + // cert still valid? If the issuer is not yet trusted, let it // be. // get certs from internal db to see if we find a pair @@ -199,7 +192,8 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { LDAPEntry entry = (LDAPEntry) res.nextElement(); LDAPAttribute caCerts = entry.getAttribute(LDAP_ATTR_CA_CERT); - LDAPAttribute certPairs = entry.getAttribute(LDAP_ATTR_XCERT_PAIR); + LDAPAttribute certPairs = entry + .getAttribute(LDAP_ATTR_XCERT_PAIR); if (caCerts == null) { debug("no existing ca certs, just import"); @@ -208,7 +202,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } Enumeration en = caCerts.getByteValues(); - + if ((en == null) || (en.hasMoreElements() == false)) { debug("1st potential xcert"); addCAcert(conn, cert.getEncoded()); @@ -232,8 +226,9 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { // caCertificate attr, and publish if so configured debug("found a pair!"); CertificatePair cp = new - // CertificatePair(inCert.getEncoded(), cert.getEncoded()); - CertificatePair(inCert, cert); + // CertificatePair(inCert.getEncoded(), + // cert.getEncoded()); + CertificatePair(inCert, cert); addXCertPair(conn, certPairs, cp); deleteCAcert(conn, inCert.getEncoded()); @@ -242,7 +237,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { break; } } - } //while + } // while if (match == false) { // don't find a pair, add it into // caCertificate attr for later pairing @@ -256,22 +251,32 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { log(ILogger.LL_INFO, "ldap search found no " + DN_XCERTS); } } catch (IOException e) { - throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); + throw new EBaseException( + "CrossCertPairSubsystem: importCert() failed:" + + e.toString()); } catch (LDAPException e) { log(ILogger.LL_FAILURE, "exception: " + e.toString()); - throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); + throw new EBaseException( + "CrossCertPairSubsystem: importCert() failed:" + + e.toString()); } catch (ELdapException e) { log(ILogger.LL_FAILURE, "exception: " + e.toString()); - throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); + throw new EBaseException( + "CrossCertPairSubsystem: importCert() failed:" + + e.toString()); } catch (CertificateException e) { log(ILogger.LL_FAILURE, "exception: " + e.toString()); - throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); + throw new EBaseException( + "CrossCertPairSubsystem: importCert() failed:" + + e.toString()); } finally { try { returnConn(conn); } catch (ELdapException e) { log(ILogger.LL_FAILURE, "exception: " + e.toString()); - throw new EBaseException("CrossCertPairSubsystem: importCert() failed:" + e.toString()); + throw new EBaseException( + "CrossCertPairSubsystem: importCert() failed:" + + e.toString()); } } debug("importCert(Object) completed"); @@ -279,41 +284,41 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { /** * are cert1 and cert2 cross-signed certs? + * * @param cert1 the cert for comparison in our internal db * @param cert2 the cert that's being considered */ protected boolean arePair(X509Certificate cert1, X509Certificate cert2) { // 1. does cert1's issuer match cert2's subject? // 2. does cert2's issuer match cert1's subject? - if ((cert1.getIssuerDN().equals((Object) cert2.getSubjectDN())) - && (cert2.getIssuerDN().equals((Object) cert1.getSubjectDN()))) + if ((cert1.getIssuerDN().equals((Object) cert2.getSubjectDN())) + && (cert2.getIssuerDN().equals((Object) cert1.getSubjectDN()))) return true; else return false; } - public X509Certificate byteArray2X509Cert(byte[] certBytes) - throws CertificateException { + public X509Certificate byteArray2X509Cert(byte[] certBytes) + throws CertificateException { debug("in bytearray2X509Cert()"); - ByteArrayInputStream inStream = new - ByteArrayInputStream(certBytes); + ByteArrayInputStream inStream = new ByteArrayInputStream(certBytes); - CertificateFactory cf = - CertificateFactory.getInstance("X.509"); + CertificateFactory cf = CertificateFactory.getInstance("X.509"); - X509Certificate cert = (X509Certificate) cf.generateCertificate(inStream); + X509Certificate cert = (X509Certificate) cf + .generateCertificate(inStream); debug("done bytearray2X509Cert()"); return cert; } public synchronized void addXCertPair(LDAPConnection conn, - LDAPAttribute certPairs, CertificatePair pair) - throws LDAPException, IOException { + LDAPAttribute certPairs, CertificatePair pair) + throws LDAPException, IOException { ByteArrayOutputStream bos = new ByteArrayOutputStream(); pair.encode(bos); - + if (ByteValueExists(certPairs, bos.toByteArray()) == true) { debug("cross cert pair exists in internal db, don't add again"); return; @@ -322,9 +327,9 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { // add certificatePair LDAPModificationSet modSet = new LDAPModificationSet(); - modSet.add(LDAPModification.ADD, - new LDAPAttribute(LDAP_ATTR_XCERT_PAIR, bos.toByteArray())); - conn.modify(DN_XCERTS + "," + mBaseDN, modSet); + modSet.add(LDAPModification.ADD, new LDAPAttribute( + LDAP_ATTR_XCERT_PAIR, bos.toByteArray())); + conn.modify(DN_XCERTS + "," + mBaseDN, modSet); } /** @@ -366,24 +371,22 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { debug("exiting byteArraysAreEqual(): true"); return true; } - + public synchronized void addCAcert(LDAPConnection conn, byte[] certEnc) - throws LDAPException { - LDAPModificationSet modSet = new - LDAPModificationSet(); - - modSet.add(LDAPModification.ADD, - new LDAPAttribute(LDAP_ATTR_CA_CERT, certEnc)); + throws LDAPException { + LDAPModificationSet modSet = new LDAPModificationSet(); + + modSet.add(LDAPModification.ADD, new LDAPAttribute(LDAP_ATTR_CA_CERT, + certEnc)); conn.modify(DN_XCERTS + "," + mBaseDN, modSet); } public synchronized void deleteCAcert(LDAPConnection conn, byte[] certEnc) - throws LDAPException { - LDAPModificationSet modSet = new - LDAPModificationSet(); + throws LDAPException { + LDAPModificationSet modSet = new LDAPModificationSet(); - modSet.add(LDAPModification.DELETE, - new LDAPAttribute(LDAP_ATTR_CA_CERT, certEnc)); + modSet.add(LDAPModification.DELETE, new LDAPAttribute( + LDAP_ATTR_CA_CERT, certEnc)); conn.modify(DN_XCERTS + "," + mBaseDN, modSet); } @@ -393,8 +396,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { public synchronized void publishCertPairs() throws EBaseException { LDAPConnection conn = null; - if ((mPublisherProcessor == null) || - !mPublisherProcessor.enabled()) + if ((mPublisherProcessor == null) || !mPublisherProcessor.enabled()) return; try { @@ -421,7 +423,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } Enumeration en = xcerts.getByteValues(); - + if ((en == null) || (en.hasMoreElements() == false)) { debug("publishCertPair found no pairs in internal db"); return; @@ -435,19 +437,23 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { continue; } else { try { - //found a cross cert pair, publish if we could + // found a cross cert pair, publish if we could IXcertPublisherProcessor xp = null; xp = (IXcertPublisherProcessor) mPublisherProcessor; xp.publishXCertPair(val); } catch (Exception e) { - throw new EBaseException("CrossCertPairSubsystem: publishCertPairs() failed:" + e.toString()); + throw new EBaseException( + "CrossCertPairSubsystem: publishCertPairs() failed:" + + e.toString()); } } }// while - }//if + }// if } catch (Exception e) { - throw new EBaseException("CrossCertPairSubsystem: publishCertPairs() failed:" + e.toString()); + throw new EBaseException( + "CrossCertPairSubsystem: publishCertPairs() failed:" + + e.toString()); } } @@ -476,16 +482,16 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { try { mLdapConnFactory.reset(); } catch (ELdapException e) { - CMS.debug("CrossCertPairSubsystem shutdown exception: "+e.toString()); + CMS.debug("CrossCertPairSubsystem shutdown exception: " + + e.toString()); } } mLdapConnFactory = null; } /* - * Returns the root configuration storage of this system. - * <P> - * + * Returns the root configuration storage of this system. <P> + * * @return configuration store of this subsystem */ public IConfigStore getConfigStore() { @@ -493,8 +499,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem { } protected void log(int level, String msg) { - mLogger.log(ILogger.EV_SYSTEM, - ILogger.S_XCERT, level, msg); + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_XCERT, level, msg); } private static void debug(String msg) { |