/*
|
* CDDL HEADER START
|
*
|
* The contents of this file are subject to the terms of the
|
* Common Development and Distribution License, Version 1.0 only
|
* (the "License"). You may not use this file except in compliance
|
* with the License.
|
*
|
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
|
* or http://forgerock.org/license/CDDLv1.0.html.
|
* See the License for the specific language governing permissions
|
* and limitations under the License.
|
*
|
* When distributing Covered Code, include this CDDL HEADER in each
|
* file and include the License file at legal-notices/CDDLv1_0.txt.
|
* If applicable, add the following below this CDDL HEADER, with the
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
* information:
|
* Portions Copyright [yyyy] [name of copyright owner]
|
*
|
* CDDL HEADER END
|
*
|
*
|
* Copyright 2006-2008 Sun Microsystems, Inc.
|
* Portions Copyright 2012 Forgerock AS
|
* Portions Copyright 2013-2014 Manuel Gaupp
|
*/
|
package org.opends.server.schema;
|
|
|
|
import java.util.List;
|
|
import org.opends.server.admin.server.ConfigurationChangeListener;
|
import org.opends.server.admin.std.server.CertificateAttributeSyntaxCfg;
|
import org.opends.server.api.ApproximateMatchingRule;
|
import org.opends.server.api.AttributeSyntax;
|
import org.opends.server.api.EqualityMatchingRule;
|
import org.opends.server.api.OrderingMatchingRule;
|
import org.opends.server.api.SubstringMatchingRule;
|
import org.opends.server.config.ConfigException;
|
import org.opends.server.core.DirectoryServer;
|
import org.opends.server.types.ByteSequence;
|
import org.opends.server.types.ConfigChangeResult;
|
import org.opends.server.types.ResultCode;
|
|
import org.opends.server.protocols.asn1.ASN1;
|
import org.opends.server.protocols.asn1.ASN1Exception;
|
import org.opends.server.protocols.asn1.ASN1Reader;
|
|
import static org.opends.server.loggers.ErrorLogger.*;
|
import static org.opends.messages.SchemaMessages.*;
|
|
import org.opends.messages.Message;
|
import org.opends.messages.MessageBuilder;
|
import static org.opends.server.schema.SchemaConstants.*;
|
import static org.opends.server.protocols.asn1.ASN1Constants.*;
|
|
|
/**
|
* This class implements the certificate attribute syntax. It is restricted to
|
* accept only X.509 certificates.
|
*/
|
public class CertificateSyntax
|
extends AttributeSyntax<CertificateAttributeSyntaxCfg>
|
implements ConfigurationChangeListener<CertificateAttributeSyntaxCfg>
|
{
|
// The default equality matching rule for this syntax.
|
private EqualityMatchingRule defaultEqualityMatchingRule;
|
|
// The default ordering matching rule for this syntax.
|
private OrderingMatchingRule defaultOrderingMatchingRule;
|
|
// The default substring matching rule for this syntax.
|
private SubstringMatchingRule defaultSubstringMatchingRule;
|
|
// The current configuration.
|
private volatile CertificateAttributeSyntaxCfg config;
|
|
|
|
/**
|
* Creates a new instance of this syntax. Note that the only thing that
|
* should be done here is to invoke the default constructor for the
|
* superclass. All initialization should be performed in the
|
* <CODE>initializeSyntax</CODE> method.
|
*/
|
public CertificateSyntax()
|
{
|
super();
|
}
|
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
public void initializeSyntax(CertificateAttributeSyntaxCfg configuration)
|
throws ConfigException
|
{
|
defaultEqualityMatchingRule =
|
DirectoryServer.getEqualityMatchingRule(EMR_CERTIFICATE_EXACT_OID);
|
if (defaultEqualityMatchingRule == null)
|
{
|
logError(ERR_ATTR_SYNTAX_UNKNOWN_EQUALITY_MATCHING_RULE.get(
|
EMR_CERTIFICATE_EXACT_OID, SYNTAX_CERTIFICATE_NAME));
|
}
|
|
defaultOrderingMatchingRule =
|
DirectoryServer.getOrderingMatchingRule(OMR_OCTET_STRING_OID);
|
if (defaultOrderingMatchingRule == null)
|
{
|
logError(ERR_ATTR_SYNTAX_UNKNOWN_ORDERING_MATCHING_RULE.get(
|
OMR_OCTET_STRING_OID, SYNTAX_CERTIFICATE_NAME));
|
}
|
|
defaultSubstringMatchingRule =
|
DirectoryServer.getSubstringMatchingRule(SMR_OCTET_STRING_OID);
|
if (defaultSubstringMatchingRule == null)
|
{
|
logError(ERR_ATTR_SYNTAX_UNKNOWN_SUBSTRING_MATCHING_RULE.get(
|
SMR_OCTET_STRING_OID, SYNTAX_CERTIFICATE_NAME));
|
}
|
|
this.config = configuration;
|
config.addCertificateChangeListener(this);
|
}
|
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
public boolean isConfigurationChangeAcceptable(
|
CertificateAttributeSyntaxCfg configuration,
|
List<Message> unacceptableReasons)
|
{
|
// The configuration is always acceptable.
|
return true;
|
}
|
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
public ConfigChangeResult applyConfigurationChange(
|
CertificateAttributeSyntaxCfg configuration)
|
{
|
this.config = configuration;
|
return new ConfigChangeResult(ResultCode.SUCCESS, false);
|
}
|
|
|
|
/**
|
* Retrieves the common name for this attribute syntax.
|
*
|
* @return The common name for this attribute syntax.
|
*/
|
public String getSyntaxName()
|
{
|
return SYNTAX_CERTIFICATE_NAME;
|
}
|
|
|
|
/**
|
* Retrieves the OID for this attribute syntax.
|
*
|
* @return The OID for this attribute syntax.
|
*/
|
public String getOID()
|
{
|
return SYNTAX_CERTIFICATE_OID;
|
}
|
|
|
|
/**
|
* Retrieves a description for this attribute syntax.
|
*
|
* @return A description for this attribute syntax.
|
*/
|
public String getDescription()
|
{
|
return SYNTAX_CERTIFICATE_DESCRIPTION;
|
}
|
|
|
|
/**
|
* Retrieves the default equality matching rule that will be used for
|
* attributes with this syntax.
|
*
|
* @return The default equality matching rule that will be used for
|
* attributes with this syntax, or <CODE>null</CODE> if equality
|
* matches will not be allowed for this type by default.
|
*/
|
public EqualityMatchingRule getEqualityMatchingRule()
|
{
|
return defaultEqualityMatchingRule;
|
}
|
|
|
|
/**
|
* Retrieves the default ordering matching rule that will be used for
|
* attributes with this syntax.
|
*
|
* @return The default ordering matching rule that will be used for
|
* attributes with this syntax, or <CODE>null</CODE> if ordering
|
* matches will not be allowed for this type by default.
|
*/
|
public OrderingMatchingRule getOrderingMatchingRule()
|
{
|
return defaultOrderingMatchingRule;
|
}
|
|
|
|
/**
|
* Retrieves the default substring matching rule that will be used for
|
* attributes with this syntax.
|
*
|
* @return The default substring matching rule that will be used for
|
* attributes with this syntax, or <CODE>null</CODE> if substring
|
* matches will not be allowed for this type by default.
|
*/
|
public SubstringMatchingRule getSubstringMatchingRule()
|
{
|
return defaultSubstringMatchingRule;
|
}
|
|
|
|
/**
|
* Retrieves the default approximate matching rule that will be used for
|
* attributes with this syntax.
|
*
|
* @return The default approximate matching rule that will be used for
|
* attributes with this syntax, or <CODE>null</CODE> if approximate
|
* matches will not be allowed for this type by default.
|
*/
|
public ApproximateMatchingRule getApproximateMatchingRule()
|
{
|
// There is no approximate matching rule by default.
|
return null;
|
}
|
|
|
|
/**
|
* Indicates whether the provided value is acceptable for use in an attribute
|
* with this syntax. If it is not, then the reason may be appended to the
|
* provided buffer.
|
*
|
* @param value The value for which to make the determination.
|
* @param invalidReason The buffer to which the invalid reason should be
|
* appended.
|
*
|
* @return <CODE>true</CODE> if the provided value is acceptable for use with
|
* this syntax, or <CODE>false</CODE> if not.
|
*/
|
public boolean valueIsAcceptable(ByteSequence value,
|
MessageBuilder invalidReason)
|
{
|
// Skip validation if strict validation is disabled.
|
if (!config.isStrictFormat())
|
{
|
return true;
|
}
|
|
// Validate the ByteSequence against the definitions of X.509, clause 7
|
long x509Version=0;
|
ASN1Reader reader = ASN1.getReader(value);
|
try
|
{
|
// Certificate SIGNED SEQUENCE
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_SEQUENCE_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.readStartSequence();
|
|
// CertificateContent SEQUENCE
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_SEQUENCE_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.readStartSequence();
|
|
// Optional Version
|
if (reader.hasNextElement() &&
|
reader.peekType() == (TYPE_MASK_CONTEXT | TYPE_MASK_CONSTRUCTED))
|
{
|
reader.readStartExplicitTag();
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_INTEGER_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
x509Version=reader.readInteger();
|
if (x509Version < 0 || x509Version >2)
|
{
|
// invalid Version specified
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_INVALID_VERSION
|
.get(x509Version));
|
return false;
|
}
|
if (x509Version == 0)
|
{
|
// DEFAULT values shall not be included in DER encoded SEQUENCE
|
// (X.690, 11.5)
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_INVALID_DER.get());
|
return false;
|
}
|
reader.readEndExplicitTag();
|
}
|
|
// serialNumber
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_INTEGER_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
|
// signature AlgorithmIdentifier
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_SEQUENCE_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
|
// issuer name (SEQUENCE as of X.501, 9.2)
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_SEQUENCE_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
|
// validity (SEQUENCE)
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_SEQUENCE_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
|
// subject name (SEQUENCE as of X.501, 9.2)
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_SEQUENCE_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
|
// SubjectPublicKeyInfo (SEQUENCE)
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_SEQUENCE_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
|
// OPTIONAL issuerUniqueIdentifier
|
if (reader.hasNextElement() &&
|
reader.peekType() == (TYPE_MASK_CONTEXT + 1))
|
{
|
if (x509Version < 1)
|
{
|
// only valid in v2 and v3
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
}
|
|
// OPTIONAL subjectUniqueIdentifier
|
if (reader.hasNextElement() &&
|
reader.peekType() == (TYPE_MASK_CONTEXT + 2))
|
{
|
if (x509Version < 1)
|
{
|
// only valid in v2 and v3
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
}
|
|
// OPTIONAL extensions
|
if (reader.hasNextElement() &&
|
reader.peekType() == ((TYPE_MASK_CONTEXT|TYPE_MASK_CONSTRUCTED) + 3))
|
{
|
if (x509Version < 2)
|
{
|
// only valid in v3
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.readStartExplicitTag(); // read Tag
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_SEQUENCE_TYPE)
|
{
|
// only valid in v3
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.readEndExplicitTag(); // read end Tag
|
}
|
|
// There should not be any further ASN.1 elements within this SEQUENCE
|
if (reader.hasNextElement())
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.readEndSequence(); // End CertificateContent SEQUENCE
|
|
// AlgorithmIdentifier SEQUENCE
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_SEQUENCE_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
|
// ENCRYPTED HASH BIT STRING
|
if (!reader.hasNextElement() ||
|
reader.peekType() != UNIVERSAL_BIT_STRING_TYPE)
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.skipElement();
|
|
// There should not be any further ASN.1 elements within this SEQUENCE
|
if (reader.hasNextElement())
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
reader.readEndSequence(); // End Certificate SEQUENCE
|
|
// There should not be any further ASN.1 elements
|
if (reader.hasNextElement())
|
{
|
invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get());
|
return false;
|
}
|
// End of the certificate
|
}
|
catch (ASN1Exception e)
|
{
|
invalidReason.append(e.getMessageObject());
|
return false;
|
}
|
|
// The basic structure of the value is an X.509 certificate
|
return true;
|
}
|
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
public boolean isBinary()
|
{
|
return true;
|
}
|
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
public boolean isHumanReadable()
|
{
|
return false;
|
}
|
}
|
