mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opendj-server-legacy/src/main/java/org/opends/server/schema/CertificateSyntax.java
@@ -27,27 +27,21 @@ */ package org.opends.server.schema; import java.io.IOException; import static org.opends.server.schema.SchemaConstants.*; import java.util.List; import org.forgerock.i18n.slf4j.LocalizedLogger; import org.opends.server.admin.server.ConfigurationChangeListener; import org.opends.server.admin.std.server.CertificateAttributeSyntaxCfg; import org.forgerock.opendj.ldap.schema.MatchingRule; import org.opends.server.api.AttributeSyntax; import org.forgerock.opendj.config.server.ConfigException; import org.opends.server.core.DirectoryServer; import org.forgerock.opendj.ldap.ByteSequence; import org.forgerock.opendj.config.server.ConfigChangeResult; import org.forgerock.opendj.io.ASN1; import org.forgerock.opendj.ldap.DecodeException; import org.forgerock.opendj.io.ASN1Reader; import static org.opends.messages.SchemaMessages.*; import org.forgerock.i18n.LocalizableMessage; import org.forgerock.i18n.LocalizableMessageBuilder; import static org.opends.server.schema.SchemaConstants.*; import org.forgerock.opendj.config.server.ConfigChangeResult; import org.forgerock.opendj.config.server.ConfigException; import org.forgerock.opendj.ldap.Option; import org.forgerock.opendj.ldap.schema.Schema; import org.forgerock.opendj.ldap.schema.SchemaOptions; import org.forgerock.opendj.ldap.schema.Syntax; import org.opends.server.admin.server.ConfigurationChangeListener; import org.opends.server.admin.std.server.CertificateAttributeSyntaxCfg; import org.opends.server.api.AttributeSyntax; import org.opends.server.core.ServerContext; /** @@ -59,20 +53,11 @@ implements ConfigurationChangeListener<CertificateAttributeSyntaxCfg> { private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass(); /** The default equality matching rule for this syntax. */ private MatchingRule defaultEqualityMatchingRule; /** The default ordering matching rule for this syntax. */ private MatchingRule defaultOrderingMatchingRule; /** The default substring matching rule for this syntax. */ private MatchingRule defaultSubstringMatchingRule; /** The current configuration. */ private volatile CertificateAttributeSyntaxCfg config; private ServerContext serverContext; /** * Creates a new instance of this syntax. Note that the only thing that * should be done here is to invoke the default constructor for the @@ -85,38 +70,37 @@ } /** {@inheritDoc} */ public void initializeSyntax(CertificateAttributeSyntaxCfg configuration) @Override public void initializeSyntax(CertificateAttributeSyntaxCfg configuration, ServerContext serverContext) throws ConfigException { defaultEqualityMatchingRule = DirectoryServer.getMatchingRule(EMR_CERTIFICATE_EXACT_OID); if (defaultEqualityMatchingRule == null) { logger.error(ERR_ATTR_SYNTAX_UNKNOWN_EQUALITY_MATCHING_RULE, EMR_CERTIFICATE_EXACT_OID, SYNTAX_CERTIFICATE_NAME); } defaultOrderingMatchingRule = DirectoryServer.getMatchingRule(OMR_OCTET_STRING_OID); if (defaultOrderingMatchingRule == null) { logger.error(ERR_ATTR_SYNTAX_UNKNOWN_ORDERING_MATCHING_RULE, OMR_OCTET_STRING_OID, SYNTAX_CERTIFICATE_NAME); } defaultSubstringMatchingRule = DirectoryServer.getMatchingRule(SMR_OCTET_STRING_OID); if (defaultSubstringMatchingRule == null) { logger.error(ERR_ATTR_SYNTAX_UNKNOWN_SUBSTRING_MATCHING_RULE, SMR_OCTET_STRING_OID, SYNTAX_CERTIFICATE_NAME); } this.config = configuration; this.serverContext = serverContext; updateNewSchema(); config.addCertificateChangeListener(this); } /** Update the option in new schema if it changes from current value. */ private void updateNewSchema() { Option<Boolean> option = SchemaOptions.ALLOW_MALFORMED_CERTIFICATES; if (config.isStrictFormat() == serverContext.getSchemaNG().getOption(option)) { SchemaUpdater schemaUpdater = serverContext.getSchemaUpdater(); schemaUpdater.updateSchema( schemaUpdater.getSchemaBuilder().setOption(option, !config.isStrictFormat()).toSchema()); } } /** {@inheritDoc} */ @Override public Syntax getSDKSyntax(Schema schema) { return schema.getSyntax(SchemaConstants.SYNTAX_CERTIFICATE_OID); } /** {@inheritDoc} */ @Override public boolean isConfigurationChangeAcceptable( CertificateAttributeSyntaxCfg configuration, List<LocalizableMessage> unacceptableReasons) @@ -126,10 +110,12 @@ } /** {@inheritDoc} */ @Override public ConfigChangeResult applyConfigurationChange( CertificateAttributeSyntaxCfg configuration) { this.config = configuration; updateNewSchema(); return new ConfigChangeResult(); } @@ -138,6 +124,7 @@ * * @return The common name for this attribute syntax. */ @Override public String getName() { return SYNTAX_CERTIFICATE_NAME; @@ -148,6 +135,7 @@ * * @return The OID for this attribute syntax. */ @Override public String getOID() { return SYNTAX_CERTIFICATE_OID; @@ -158,305 +146,10 @@ * * @return A description for this attribute syntax. */ @Override public String getDescription() { return SYNTAX_CERTIFICATE_DESCRIPTION; } /** * Retrieves the default equality matching rule that will be used for * attributes with this syntax. * * @return The default equality matching rule that will be used for * attributes with this syntax, or <CODE>null</CODE> if equality * matches will not be allowed for this type by default. */ public MatchingRule getEqualityMatchingRule() { return defaultEqualityMatchingRule; } /** * Retrieves the default ordering matching rule that will be used for * attributes with this syntax. * * @return The default ordering matching rule that will be used for * attributes with this syntax, or <CODE>null</CODE> if ordering * matches will not be allowed for this type by default. */ public MatchingRule getOrderingMatchingRule() { return defaultOrderingMatchingRule; } /** * Retrieves the default substring matching rule that will be used for * attributes with this syntax. * * @return The default substring matching rule that will be used for * attributes with this syntax, or <CODE>null</CODE> if substring * matches will not be allowed for this type by default. */ public MatchingRule getSubstringMatchingRule() { return defaultSubstringMatchingRule; } /** * Retrieves the default approximate matching rule that will be used for * attributes with this syntax. * * @return The default approximate matching rule that will be used for * attributes with this syntax, or <CODE>null</CODE> if approximate * matches will not be allowed for this type by default. */ public MatchingRule getApproximateMatchingRule() { // There is no approximate matching rule by default. return null; } /** * Indicates whether the provided value is acceptable for use in an attribute * with this syntax. If it is not, then the reason may be appended to the * provided buffer. * * @param value The value for which to make the determination. * @param invalidReason The buffer to which the invalid reason should be * appended. * * @return <CODE>true</CODE> if the provided value is acceptable for use with * this syntax, or <CODE>false</CODE> if not. */ public boolean valueIsAcceptable(ByteSequence value, LocalizableMessageBuilder invalidReason) { // Skip validation if strict validation is disabled. if (!config.isStrictFormat()) { return true; } // Validate the ByteSequence against the definitions of X.509, clause 7 long x509Version=0; ASN1Reader reader = ASN1.getReader(value); try { // Certificate SIGNED SEQUENCE if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_SEQUENCE_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.readStartSequence(); // CertificateContent SEQUENCE if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_SEQUENCE_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.readStartSequence(); // Optional Version if (reader.hasNextElement() && reader.peekType() == (ASN1.TYPE_MASK_CONTEXT | ASN1.TYPE_MASK_CONSTRUCTED)) { reader.readStartExplicitTag(); if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_INTEGER_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } x509Version=reader.readInteger(); if (x509Version < 0 || x509Version >2) { // invalid Version specified invalidReason.append(ERR_SYNTAX_CERTIFICATE_INVALID_VERSION .get(x509Version)); return false; } if (x509Version == 0) { // DEFAULT values shall not be included in DER encoded SEQUENCE // (X.690, 11.5) invalidReason.append(ERR_SYNTAX_CERTIFICATE_INVALID_DER.get()); return false; } reader.readEndExplicitTag(); } // serialNumber if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_INTEGER_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); // signature AlgorithmIdentifier if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_SEQUENCE_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); // issuer name (SEQUENCE as of X.501, 9.2) if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_SEQUENCE_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); // validity (SEQUENCE) if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_SEQUENCE_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); // subject name (SEQUENCE as of X.501, 9.2) if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_SEQUENCE_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); // SubjectPublicKeyInfo (SEQUENCE) if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_SEQUENCE_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); // OPTIONAL issuerUniqueIdentifier if (reader.hasNextElement() && reader.peekType() == (ASN1.TYPE_MASK_CONTEXT + 1)) { if (x509Version < 1) { // only valid in v2 and v3 invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); } // OPTIONAL subjectUniqueIdentifier if (reader.hasNextElement() && reader.peekType() == (ASN1.TYPE_MASK_CONTEXT + 2)) { if (x509Version < 1) { // only valid in v2 and v3 invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); } // OPTIONAL extensions if (reader.hasNextElement() && reader.peekType() == ((ASN1.TYPE_MASK_CONTEXT|ASN1.TYPE_MASK_CONSTRUCTED) + 3)) { if (x509Version < 2) { // only valid in v3 invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.readStartExplicitTag(); // read Tag if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_SEQUENCE_TYPE) { // only valid in v3 invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.readEndExplicitTag(); // read end Tag } // There should not be any further ASN.1 elements within this SEQUENCE if (reader.hasNextElement()) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.readEndSequence(); // End CertificateContent SEQUENCE // AlgorithmIdentifier SEQUENCE if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_SEQUENCE_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); // ENCRYPTED HASH BIT STRING if (!reader.hasNextElement() || reader.peekType() != ASN1.UNIVERSAL_BIT_STRING_TYPE) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.skipElement(); // There should not be any further ASN.1 elements within this SEQUENCE if (reader.hasNextElement()) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } reader.readEndSequence(); // End Certificate SEQUENCE // There should not be any further ASN.1 elements if (reader.hasNextElement()) { invalidReason.append(ERR_SYNTAX_CERTIFICATE_NOTVALID.get()); return false; } // End of the certificate } catch (DecodeException e) { invalidReason.append(e.getMessageObject()); return false; } catch (IOException e) { invalidReason.append(e.getMessage()); return false; } // The basic structure of the value is an X.509 certificate return true; } /** {@inheritDoc} */ public boolean isBEREncodingRequired() { return true; } /** {@inheritDoc} */ public boolean isHumanReadable() { return false; } }
