Class EnrollProfile
An enrollment profile contains a list of enrollment specific input plugins, default policies, constriant policies and output plugins.
This interface also defines a set of enrollment specific attribute names that can be used to retrieve values from an enrollment request.
- Version:
- $Revision$, $Date$
- Author:
- cfu
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final String
Name of request attribute that stores the User Supplied Certificate Request Type.static final String
Name of request attribute to indicate if this is a renewalstatic final String
Name of the request attribute that stores the sequence number for a renewal request.static org.slf4j.Logger
static final String
static final String
static final String
static final String
Possible values for CTX_CERT_REQUEST_TYPE attribute.static final String
ID of requested certificate authority (absense implies host authority)static final String
Name of request attribute that stores the certificate template that will be signed and then become a certificate.static final String
Name of request attribute that stores the End-User Supplied Extensions.static final String
Name of request attribute that stores the issued certificate.static final String
Name of request attribute that stores the issued P12 from server-side keygen.static final String
Name of request attribute that stores the End-User Locale.static final String
Name of request attribute that stores the sequence number.static final String
Name of request attribute that stores the End-User Supplied Signing Algorithm.static final String
Arbitrary user-supplied data.static final String
Name of request attribute that stores the End-User Supplied Validity.Fields inherited from class com.netscape.cms.profile.common.Profile
mAuthInstanceId, mAuthzAcl, mConfig, mId, mInputIds, mInputNames, mInputs, mOutputIds, mOutputs, mPolicySet, mUpdaterIds, mUpdaters, PROP_CLASS_ID, PROP_CONSTRAINT, PROP_DEFAULT, PROP_DESC, PROP_ENABLE, PROP_ENABLE_BY, PROP_GENERIC_EXT_DEFAULT, PROP_INPUT, PROP_INPUT_LIST, PROP_INSTANCE_ID, PROP_IS_RENEWAL, PROP_NAME, PROP_NO_CONSTRAINT, PROP_NO_DEFAULT, PROP_OUTPUT, PROP_OUTPUT_LIST, PROP_PARAMS, PROP_POLICY_LIST, PROP_UPDATER_LIST, PROP_VISIBLE, PROP_XML_OUTPUT, registry, signedAuditLogger
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected String
Signed Audit Log Profile ID This method is inherited by all extended "EnrollProfile"s, and is called to obtain the "ProfileID" for a signed audit log message.protected String
auditRequesterID
(Request request) Signed Audit Log Requester ID This method is inherited by all extended "EnrollProfile"s, and is called to obtain the "RequesterID" for a signed audit log message.Request[]
createRequests
(Map<String, String> ctx, Locale locale) Creates request.abstract void
Process a request after validation.void
fillCertReqMsg
(Locale locale, org.mozilla.jss.pkix.crmf.CertReqMsg certReqMsg, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) void
fillKeyGen
(Locale locale, org.mozilla.jss.netscape.security.util.DerInputStream derIn, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) void
fillNSHKEY
(Locale locale, String tcuid, String skey, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) void
fillNSNKEY
(Locale locale, String sn, String skey, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) void
fillPKCS10
(Locale locale, org.mozilla.jss.netscape.security.pkcs.PKCS10 pkcs10, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) void
fillTaggedRequest
(Locale locale, org.mozilla.jss.pkix.cmc.TaggedRequest tagreq, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) abstract IAuthority
static org.mozilla.jss.netscape.security.x509.X509CertImpl
getCMCSigningCertFromCertSerial
(String certSerial) getCMCSigningCertFromCertSerial is to be used when authentication was done with CMCUserSignedAuth where the resulting authToken contains IAuthManager.CRED_CMC_SIGNING_CERT, serial number This method takes the serial number and finds the cert from the CA's certdbstatic org.mozilla.jss.netscape.security.x509.CertificateSubjectName
getCMCSigningCertSNfromCertSerial
(String certSerial) abstract org.mozilla.jss.netscape.security.x509.X500Name
protected org.mozilla.jss.pkix.crmf.PKIArchiveOptions
getPKIArchiveOptions
(org.mozilla.jss.pkix.primitive.AVA ava) org.mozilla.jss.pkix.cmc.PKIData
getPKIDataFromCMCblob
(Locale locale, String certReqBlob) getPKIDataFromCMCblobgetPolicySetId
(Request req) Perform simple policy set assignment.protected org.mozilla.jss.pkix.cmc.PopLinkWitnessV2
getPopLinkWitnessV2control
(org.mozilla.jss.asn1.ASN1Value value) getPopLinkWitnessV2controlgetRequestorDN
(Request request) Retrieves a localized string that represents requestor's distinguished name.org.mozilla.jss.pkix.cmc.TaggedRequest[]
org.mozilla.jss.pkix.cmc.TaggedRequest[]
void
Passes the request to the set of default policies that populate the profile information against the profile.void
populateInput
(Map<String, String> ctx, Request request) Populate inputvoid
setDefaultCertInfo
(Request request) Set Default X509CertInfo in the request.void
setPOPchallenge
(Request req) setPOPchallenge generates a POP challenge and sets necessary info in request for composing encryptedPOP latervoid
submit
(IAuthToken token, Request request) This method is called after the user submits the request from the end-entity page.void
submit
(IAuthToken token, Request request, boolean explicitApprovalRequired) byte[]
toByteArray
(org.mozilla.jss.pkix.crmf.PKIArchiveOptions options) org.mozilla.jss.pkix.crmf.PKIArchiveOptions
toPKIArchiveOptions
(byte[] options) void
Passes the request to the set of constraint policies that validate the request against the profile.void
protected boolean
verifyPopLinkWitnessV2
(org.mozilla.jss.pkix.cmc.PopLinkWitnessV2 popLinkWitnessV2, byte[] randomSeed, byte[] sharedSecret, String ident_string) verifyPopLinkWitnessV2Methods inherited from class com.netscape.cms.profile.common.Profile
addInputName, auditSubjectID, createProfileInput, createProfileInput, createProfileOutput, createProfileOutput, createProfilePolicy, createProfilePolicy, deleteAllProfileInputs, deleteAllProfileOutputs, deleteAllProfilePolicies, deleteProfileInput, deleteProfileOutput, deleteProfilePolicy, getApprovedBy, getAuthenticatorId, getAuthzAcl, getConfigStore, getDescription, getId, getInputNames, getName, getPolicies, getProfileInput, getProfileInputIds, getProfileOutput, getProfileOutputIds, getProfilePolicies, getProfilePolicy, getProfilePolicyIds, getProfilePolicySetIds, getProfileUpdater, getProfileUpdaterIds, init, isEnable, isRenewal, isVisible, isXmlOutput, setAuthenticatorId, setAuthzAcl, setDescription, setId, setName, setRenewal, setVisible, setXMLOutput
-
Field Details
-
logger
public static org.slf4j.Logger logger -
CTX_CERT_REQUEST_TYPE
Name of request attribute that stores the User Supplied Certificate Request Type.- See Also:
-
REQ_TYPE_PKCS10
Possible values for CTX_CERT_REQUEST_TYPE attribute.- See Also:
-
REQ_TYPE_CRMF
- See Also:
-
REQ_TYPE_CMC
- See Also:
-
REQ_TYPE_KEYGEN
- See Also:
-
REQUEST_LOCALE
Name of request attribute that stores the End-User Locale.The value is of type java.util.Locale.
- See Also:
-
REQUEST_SEQ_NUM
Name of request attribute that stores the sequence number. Consider a CRMF request that may contain multiple certificate request. The first sub certificate certificate request has a sequence number of 0, the next one has a sequence of 1, and so on.The value is of type java.lang.Integer.
- See Also:
-
CTX_RENEWAL_SEQ_NUM
Name of the request attribute that stores the sequence number for a renewal request. Only one request at a time is permitted for a renewal. This value corresponds to the sequence number (and hence the appropriate certificate) of the original request- See Also:
-
CTX_RENEWAL
Name of request attribute to indicate if this is a renewal- See Also:
-
REQUEST_VALIDITY
Name of request attribute that stores the End-User Supplied Validity.The value is of type org.mozilla.jss.netscape.security.x509.CertificateValidity
- See Also:
-
REQUEST_SIGNING_ALGORITHM
Name of request attribute that stores the End-User Supplied Signing Algorithm.The value is of type org.mozilla.jss.netscape.security.x509.CertificateAlgorithmId
- See Also:
-
REQUEST_EXTENSIONS
Name of request attribute that stores the End-User Supplied Extensions.The value is of type org.mozilla.jss.netscape.security.x509.CertificateExtensions
- See Also:
-
REQUEST_CERTINFO
Name of request attribute that stores the certificate template that will be signed and then become a certificate.The value is of type org.mozilla.jss.netscape.security.x509.X509CertInfo
- See Also:
-
REQUEST_ISSUED_CERT
Name of request attribute that stores the issued certificate.The value is of type org.mozilla.jss.netscape.security.x509.X509CertImpl
- See Also:
-
REQUEST_ISSUED_P12
Name of request attribute that stores the issued P12 from server-side keygen.- See Also:
-
REQUEST_AUTHORITY_ID
ID of requested certificate authority (absense implies host authority)- See Also:
-
REQUEST_USER_DATA
Arbitrary user-supplied data.- See Also:
-
-
Constructor Details
-
EnrollProfile
public EnrollProfile()
-
-
Method Details
-
getAuthority
-
createRequests
Creates request.- Specified by:
createRequests
in classProfile
- Parameters:
ctx
- profile contextlocale
- user locale- Returns:
- a list of requests
- Throws:
Exception
- failed to create requests
-
getIssuerName
public abstract org.mozilla.jss.netscape.security.x509.X500Name getIssuerName() -
setDefaultCertInfo
Set Default X509CertInfo in the request.- Parameters:
request
- profile-based certificate request.- Throws:
EProfileException
- failed to set the X509CertInfo.
-
createEnrollmentRequest
- Throws:
EProfileException
-
execute
Description copied from class:Profile
Process a request after validation.- Overrides:
execute
in classProfile
- Parameters:
request
- request to be processed- Throws:
EProfileException
- failed to process
-
getPolicySetId
Perform simple policy set assignment.- Specified by:
getPolicySetId
in classProfile
- Parameters:
req
- request- Returns:
- policy set id
-
getRequestorDN
Description copied from class:Profile
Retrieves a localized string that represents requestor's distinguished name. This string displayed in the request listing user interface.- Overrides:
getRequestorDN
in classProfile
- Parameters:
request
- request- Returns:
- distringuished name of the request owner
-
setPOPchallenge
setPOPchallenge generates a POP challenge and sets necessary info in request for composing encryptedPOP later- Parameters:
req
- the request- Throws:
EBaseException
-
submit
This method is called after the user submits the request from the end-entity page.- Specified by:
submit
in classProfile
- Parameters:
token
- authentication tokenrequest
- request to be processed- Throws:
EDeferException
- defer requestEProfileException
- failed to submit
-
submit
public void submit(IAuthToken token, Request request, boolean explicitApprovalRequired) throws EDeferException, EProfileException - Specified by:
submit
in classProfile
- Throws:
EDeferException
EProfileException
-
getPKIDataFromCMCblob
public org.mozilla.jss.pkix.cmc.PKIData getPKIDataFromCMCblob(Locale locale, String certReqBlob) throws EProfileException getPKIDataFromCMCblob- Parameters:
certReqBlob
- cmc b64 encoded blob- Returns:
- PKIData
- Throws:
EProfileException
-
getCMCSigningCertSNfromCertSerial
public static org.mozilla.jss.netscape.security.x509.CertificateSubjectName getCMCSigningCertSNfromCertSerial(String certSerial) throws Exception - Throws:
Exception
-
getCMCSigningCertFromCertSerial
public static org.mozilla.jss.netscape.security.x509.X509CertImpl getCMCSigningCertFromCertSerial(String certSerial) throws Exception getCMCSigningCertFromCertSerial is to be used when authentication was done with CMCUserSignedAuth where the resulting authToken contains IAuthManager.CRED_CMC_SIGNING_CERT, serial number This method takes the serial number and finds the cert from the CA's certdb- Throws:
Exception
-
parseCMC
public org.mozilla.jss.pkix.cmc.TaggedRequest[] parseCMC(Locale locale, String certreq) throws EProfileException - Throws:
EProfileException
-
parseCMC
public org.mozilla.jss.pkix.cmc.TaggedRequest[] parseCMC(Locale locale, String certreq, boolean donePOI) throws EProfileException - Throws:
EProfileException
-
getPopLinkWitnessV2control
protected org.mozilla.jss.pkix.cmc.PopLinkWitnessV2 getPopLinkWitnessV2control(org.mozilla.jss.asn1.ASN1Value value) getPopLinkWitnessV2control -
verifyPopLinkWitnessV2
protected boolean verifyPopLinkWitnessV2(org.mozilla.jss.pkix.cmc.PopLinkWitnessV2 popLinkWitnessV2, byte[] randomSeed, byte[] sharedSecret, String ident_string) verifyPopLinkWitnessV2 -
fillTaggedRequest
public void fillTaggedRequest(Locale locale, org.mozilla.jss.pkix.cmc.TaggedRequest tagreq, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException, ECMCPopFailedException, ECMCBadRequestException -
getPKIArchiveOptions
protected org.mozilla.jss.pkix.crmf.PKIArchiveOptions getPKIArchiveOptions(org.mozilla.jss.pkix.primitive.AVA ava) -
toPKIArchiveOptions
public org.mozilla.jss.pkix.crmf.PKIArchiveOptions toPKIArchiveOptions(byte[] options) -
toByteArray
public byte[] toByteArray(org.mozilla.jss.pkix.crmf.PKIArchiveOptions options) -
fillCertReqMsg
public void fillCertReqMsg(Locale locale, org.mozilla.jss.pkix.crmf.CertReqMsg certReqMsg, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException, ECMCUnsupportedExtException -
fillPKCS10
public void fillPKCS10(Locale locale, org.mozilla.jss.netscape.security.pkcs.PKCS10 pkcs10, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException, ECMCUnsupportedExtException -
fillNSNKEY
public void fillNSNKEY(Locale locale, String sn, String skey, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException - Throws:
EProfileException
-
fillNSHKEY
public void fillNSHKEY(Locale locale, String tcuid, String skey, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException - Throws:
EProfileException
-
fillKeyGen
public void fillKeyGen(Locale locale, org.mozilla.jss.netscape.security.util.DerInputStream derIn, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException - Throws:
EProfileException
-
getLocale
-
populateInput
Populate input(either all "agent" profile cert requests NOT made through a connector, or all "EE" profile cert requests NOT made through a connector)
- signed.audit LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST used when a profile cert request is made (before approval process)
- Overrides:
populateInput
in classProfile
- Parameters:
ctx
- profile contextrequest
- the certificate request- Throws:
Exception
- an error related to this profile has occurred
-
populate
Description copied from class:Profile
Passes the request to the set of default policies that populate the profile information against the profile.- Overrides:
populate
in classProfile
- Parameters:
request
- request- Throws:
EProfileException
- failed to populate default values
-
validate
Passes the request to the set of constraint policies that validate the request against the profile.- Overrides:
validate
in classProfile
- Parameters:
request
- request- Throws:
ERejectException
- validation violation
-
auditRequesterID
Signed Audit Log Requester ID This method is inherited by all extended "EnrollProfile"s, and is called to obtain the "RequesterID" for a signed audit log message.- Parameters:
request
- the actual request- Returns:
- id string containing the signed audit log message RequesterID
-
auditProfileID
Signed Audit Log Profile ID This method is inherited by all extended "EnrollProfile"s, and is called to obtain the "ProfileID" for a signed audit log message.- Returns:
- id string containing the signed audit log message ProfileID
-
verifyPOP
public void verifyPOP(Locale locale, org.mozilla.jss.pkix.crmf.CertReqMsg certReqMsg) throws EProfileException, ECMCPopFailedException
-