Class UniqueKeyConstraint
- java.lang.Object
-
- com.netscape.cms.profile.constraint.EnrollConstraint
-
- com.netscape.cms.profile.constraint.UniqueKeyConstraint
-
- All Implemented Interfaces:
IPolicyConstraint
,IConfigTemplate
public class UniqueKeyConstraint extends EnrollConstraint
This constraint is to check for publickey uniqueness. The config param "allowSameKeyRenewal" enables the situation where if the publickey is not unique, and if the subject DN is the same, that is a "renewal". Another "feature" that is quoted out of this code is the "revokeDupKeyCert" option, which enables the revocation of certs that bear the same publickey as the enrolling request. Since this can potentially be abused, it is taken out and preserved in comments to allow future refinement.- Version:
- $Revision$, $Date$
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
CONFIG_ALLOW_SAME_KEY_RENEWAL
ICertificateAuthority
mCA
-
Fields inherited from class com.netscape.cms.profile.constraint.EnrollConstraint
CONFIG_NAME, CONFIG_PARAMS, mConfig, mConfigNames
-
-
Constructor Summary
Constructors Constructor Description UniqueKeyConstraint()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static java.lang.String
escapeBinaryData(byte[] data)
IDescriptor
getConfigDescriptor(java.util.Locale locale, java.lang.String name)
Returns the descriptors of configuration parameter.java.lang.String
getDefaultConfig(java.lang.String name)
java.lang.String
getText(java.util.Locale locale)
make a CRL entry from a serial number and revocation reason.void
init(IProfile profile, IConfigStore config)
Initializes this constraint policy.boolean
isApplicable(IPolicyDefault def)
Checks if this constraint is applicable to the given default policy.void
validate(IRequest request, X509CertInfo info)
Validates the request.-
Methods inherited from class com.netscape.cms.profile.constraint.EnrollConstraint
addConfigName, getBoolean, getConfig, getConfig, getConfigBoolean, getConfigInt, getConfigNames, getConfigStore, getExtension, getInt, getLocale, getName, getValueDescriptor, isOptional, setConfig, validate
-
-
-
-
Field Detail
-
CONFIG_ALLOW_SAME_KEY_RENEWAL
public static final java.lang.String CONFIG_ALLOW_SAME_KEY_RENEWAL
- See Also:
- Constant Field Values
-
mCA
public ICertificateAuthority mCA
-
-
Method Detail
-
init
public void init(IProfile profile, IConfigStore config) throws EProfileException
Description copied from interface:IPolicyConstraint
Initializes this constraint policy.- Specified by:
init
in interfaceIPolicyConstraint
- Overrides:
init
in classEnrollConstraint
- Parameters:
profile
- owner of this policyconfig
- configuration store for this constraint- Throws:
EProfileException
- failed to initialize
-
getConfigDescriptor
public IDescriptor getConfigDescriptor(java.util.Locale locale, java.lang.String name)
Description copied from interface:IConfigTemplate
Returns the descriptors of configuration parameter.- Specified by:
getConfigDescriptor
in interfaceIConfigTemplate
- Overrides:
getConfigDescriptor
in classEnrollConstraint
- Parameters:
locale
- user localename
- configuration parameter name- Returns:
- descriptor
-
getDefaultConfig
public java.lang.String getDefaultConfig(java.lang.String name)
-
validate
public void validate(IRequest request, X509CertInfo info) throws ERejectException
Validates the request. The request is not modified during the validation. It will try to capture orig cert expiration info for renewal later. Renewal can be either renewal with same key or new key. In case of renewing with same key, the old cert record can be retrieved and used to fill original info such as original expiration date for use with RenewGracePeriodConstraint. In case of renewing with new key, it would be no different from regular enrollment Search by ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA would tell us if its reusing the same key or not. If any cert with the same key in the repository is found to be revoked, then the request is rejected This contraint has to go before the RenewGracePeriodConstraint, but after any of the SubjectName Default and Constraint- Specified by:
validate
in classEnrollConstraint
- Parameters:
request
- enrollment requestinfo
- certificate template- Throws:
ERejectException
- request is rejected due to violation of constraint
-
getText
public java.lang.String getText(java.util.Locale locale)
make a CRL entry from a serial number and revocation reason.- Specified by:
getText
in interfaceIPolicyConstraint
- Overrides:
getText
in classEnrollConstraint
- Parameters:
locale
- locale of the end-user- Returns:
- a RevokedCertImpl that can be entered in a CRL. protected RevokedCertImpl formCRLEntry( BigInteger serialNo, RevocationReason reason) throws EBaseException { CRLReasonExtension reasonExt = new CRLReasonExtension(reason); CRLExtensions crlentryexts = new CRLExtensions(); try { crlentryexts.set(CRLReasonExtension.NAME, reasonExt); } catch (IOException e) { CMS.debug("CMSGW_ERR_CRL_REASON "+e.toString()); // throw new ECMSGWException( // CMS.getLogMessage("CMSGW_ERROR_SETTING_CRLREASON")); } RevokedCertImpl crlentry = new RevokedCertImpl(serialNo, CMS.getCurrentDate(), crlentryexts); return crlentry; }
-
escapeBinaryData
public static java.lang.String escapeBinaryData(byte[] data)
-
isApplicable
public boolean isApplicable(IPolicyDefault def)
Description copied from interface:IPolicyConstraint
Checks if this constraint is applicable to the given default policy.- Specified by:
isApplicable
in interfaceIPolicyConstraint
- Overrides:
isApplicable
in classEnrollConstraint
- Parameters:
def
- default policy to be checked- Returns:
- true if this constraint can be applied to the given default policy
-
-