Class EnrollProfile

java.lang.Object
com.netscape.cms.profile.common.Profile
com.netscape.cms.profile.common.EnrollProfile

public abstract class EnrollProfile extends Profile
This class implements a generic enrollment profile.

An enrollment profile contains a list of enrollment specific input plugins, default policies, constriant policies and output plugins.

This interface also defines a set of enrollment specific attribute names that can be used to retrieve values from an enrollment request.

Version:
$Revision$, $Date$
Author:
cfu
  • Field Details

    • logger

      public static org.slf4j.Logger logger
    • CTX_CERT_REQUEST_TYPE

      public static final String CTX_CERT_REQUEST_TYPE
      Name of request attribute that stores the User Supplied Certificate Request Type.
      See Also:
    • REQ_TYPE_PKCS10

      public static final String REQ_TYPE_PKCS10
      Possible values for CTX_CERT_REQUEST_TYPE attribute.
      See Also:
    • REQ_TYPE_CRMF

      public static final String REQ_TYPE_CRMF
      See Also:
    • REQ_TYPE_CMC

      public static final String REQ_TYPE_CMC
      See Also:
    • REQ_TYPE_KEYGEN

      public static final String REQ_TYPE_KEYGEN
      See Also:
    • REQUEST_LOCALE

      public static final String REQUEST_LOCALE
      Name of request attribute that stores the End-User Locale.

      The value is of type java.util.Locale.

      See Also:
    • REQUEST_SEQ_NUM

      public static final String REQUEST_SEQ_NUM
      Name of request attribute that stores the sequence number. Consider a CRMF request that may contain multiple certificate request. The first sub certificate certificate request has a sequence number of 0, the next one has a sequence of 1, and so on.

      The value is of type java.lang.Integer.

      See Also:
    • CTX_RENEWAL_SEQ_NUM

      public static final String CTX_RENEWAL_SEQ_NUM
      Name of the request attribute that stores the sequence number for a renewal request. Only one request at a time is permitted for a renewal. This value corresponds to the sequence number (and hence the appropriate certificate) of the original request
      See Also:
    • CTX_RENEWAL

      public static final String CTX_RENEWAL
      Name of request attribute to indicate if this is a renewal
      See Also:
    • REQUEST_VALIDITY

      public static final String REQUEST_VALIDITY
      Name of request attribute that stores the End-User Supplied Validity.

      The value is of type org.mozilla.jss.netscape.security.x509.CertificateValidity

      See Also:
    • REQUEST_SIGNING_ALGORITHM

      public static final String REQUEST_SIGNING_ALGORITHM
      Name of request attribute that stores the End-User Supplied Signing Algorithm.

      The value is of type org.mozilla.jss.netscape.security.x509.CertificateAlgorithmId

      See Also:
    • REQUEST_EXTENSIONS

      public static final String REQUEST_EXTENSIONS
      Name of request attribute that stores the End-User Supplied Extensions.

      The value is of type org.mozilla.jss.netscape.security.x509.CertificateExtensions

      See Also:
    • REQUEST_CERTINFO

      public static final String REQUEST_CERTINFO
      Name of request attribute that stores the certificate template that will be signed and then become a certificate.

      The value is of type org.mozilla.jss.netscape.security.x509.X509CertInfo

      See Also:
    • REQUEST_ISSUED_CERT

      public static final String REQUEST_ISSUED_CERT
      Name of request attribute that stores the issued certificate.

      The value is of type org.mozilla.jss.netscape.security.x509.X509CertImpl

      See Also:
    • REQUEST_ISSUED_P12

      public static final String REQUEST_ISSUED_P12
      Name of request attribute that stores the issued P12 from server-side keygen.

      See Also:
    • REQUEST_AUTHORITY_ID

      public static final String REQUEST_AUTHORITY_ID
      ID of requested certificate authority (absense implies host authority)
      See Also:
    • REQUEST_USER_DATA

      public static final String REQUEST_USER_DATA
      Arbitrary user-supplied data.
      See Also:
  • Constructor Details

    • EnrollProfile

      public EnrollProfile()
  • Method Details

    • getAuthority

      public abstract IAuthority getAuthority()
    • createRequests

      public Request[] createRequests(Map<String,String> ctx, Locale locale) throws Exception
      Creates request.
      Specified by:
      createRequests in class Profile
      Parameters:
      ctx - profile context
      locale - user locale
      Returns:
      a list of requests
      Throws:
      Exception - failed to create requests
    • getIssuerName

      public abstract org.mozilla.jss.netscape.security.x509.X500Name getIssuerName()
    • setDefaultCertInfo

      public void setDefaultCertInfo(Request request) throws EProfileException
      Set Default X509CertInfo in the request.
      Parameters:
      request - profile-based certificate request.
      Throws:
      EProfileException - failed to set the X509CertInfo.
    • createEnrollmentRequest

      public Request createEnrollmentRequest() throws EProfileException
      Throws:
      EProfileException
    • execute

      public abstract void execute(Request request) throws EProfileException
      Description copied from class: Profile
      Process a request after validation.
      Overrides:
      execute in class Profile
      Parameters:
      request - request to be processed
      Throws:
      EProfileException - failed to process
    • getPolicySetId

      public String getPolicySetId(Request req)
      Perform simple policy set assignment.
      Specified by:
      getPolicySetId in class Profile
      Parameters:
      req - request
      Returns:
      policy set id
    • getRequestorDN

      public String getRequestorDN(Request request)
      Description copied from class: Profile
      Retrieves a localized string that represents requestor's distinguished name. This string displayed in the request listing user interface.
      Overrides:
      getRequestorDN in class Profile
      Parameters:
      request - request
      Returns:
      distringuished name of the request owner
    • setPOPchallenge

      public void setPOPchallenge(Request req) throws EBaseException
      setPOPchallenge generates a POP challenge and sets necessary info in request for composing encryptedPOP later
      Parameters:
      req - the request
      Throws:
      EBaseException
    • submit

      public void submit(IAuthToken token, Request request) throws EDeferException, EProfileException
      This method is called after the user submits the request from the end-entity page.
      Specified by:
      submit in class Profile
      Parameters:
      token - authentication token
      request - request to be processed
      Throws:
      EDeferException - defer request
      EProfileException - failed to submit
    • submit

      public void submit(IAuthToken token, Request request, boolean explicitApprovalRequired) throws EDeferException, EProfileException
      Specified by:
      submit in class Profile
      Throws:
      EDeferException
      EProfileException
    • getPKIDataFromCMCblob

      public org.mozilla.jss.pkix.cmc.PKIData getPKIDataFromCMCblob(Locale locale, String certReqBlob) throws EProfileException
      getPKIDataFromCMCblob
      Parameters:
      certReqBlob - cmc b64 encoded blob
      Returns:
      PKIData
      Throws:
      EProfileException
    • getCMCSigningCertSNfromCertSerial

      public static org.mozilla.jss.netscape.security.x509.CertificateSubjectName getCMCSigningCertSNfromCertSerial(String certSerial) throws Exception
      Throws:
      Exception
    • getCMCSigningCertFromCertSerial

      public static org.mozilla.jss.netscape.security.x509.X509CertImpl getCMCSigningCertFromCertSerial(String certSerial) throws Exception
      getCMCSigningCertFromCertSerial is to be used when authentication was done with CMCUserSignedAuth where the resulting authToken contains IAuthManager.CRED_CMC_SIGNING_CERT, serial number This method takes the serial number and finds the cert from the CA's certdb
      Throws:
      Exception
    • parseCMC

      public org.mozilla.jss.pkix.cmc.TaggedRequest[] parseCMC(Locale locale, String certreq) throws EProfileException
      Throws:
      EProfileException
    • parseCMC

      public org.mozilla.jss.pkix.cmc.TaggedRequest[] parseCMC(Locale locale, String certreq, boolean donePOI) throws EProfileException
      Throws:
      EProfileException
    • getPopLinkWitnessV2control

      protected org.mozilla.jss.pkix.cmc.PopLinkWitnessV2 getPopLinkWitnessV2control(org.mozilla.jss.asn1.ASN1Value value)
      getPopLinkWitnessV2control
    • verifyPopLinkWitnessV2

      protected boolean verifyPopLinkWitnessV2(org.mozilla.jss.pkix.cmc.PopLinkWitnessV2 popLinkWitnessV2, byte[] randomSeed, byte[] sharedSecret, String ident_string)
      verifyPopLinkWitnessV2
    • fillTaggedRequest

      public void fillTaggedRequest(Locale locale, org.mozilla.jss.pkix.cmc.TaggedRequest tagreq, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException, ECMCPopFailedException, ECMCBadRequestException
      Throws:
      EProfileException
      ECMCPopFailedException
      ECMCBadRequestException
    • getPKIArchiveOptions

      protected org.mozilla.jss.pkix.crmf.PKIArchiveOptions getPKIArchiveOptions(org.mozilla.jss.pkix.primitive.AVA ava)
    • toPKIArchiveOptions

      public org.mozilla.jss.pkix.crmf.PKIArchiveOptions toPKIArchiveOptions(byte[] options)
    • toByteArray

      public byte[] toByteArray(org.mozilla.jss.pkix.crmf.PKIArchiveOptions options)
    • fillCertReqMsg

      public void fillCertReqMsg(Locale locale, org.mozilla.jss.pkix.crmf.CertReqMsg certReqMsg, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException, ECMCUnsupportedExtException
      Throws:
      EProfileException
      ECMCUnsupportedExtException
    • fillPKCS10

      public void fillPKCS10(Locale locale, org.mozilla.jss.netscape.security.pkcs.PKCS10 pkcs10, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException, ECMCUnsupportedExtException
      Throws:
      EProfileException
      ECMCUnsupportedExtException
    • fillNSNKEY

      public void fillNSNKEY(Locale locale, String sn, String skey, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException
      Throws:
      EProfileException
    • fillNSHKEY

      public void fillNSHKEY(Locale locale, String tcuid, String skey, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException
      Throws:
      EProfileException
    • fillKeyGen

      public void fillKeyGen(Locale locale, org.mozilla.jss.netscape.security.util.DerInputStream derIn, org.mozilla.jss.netscape.security.x509.X509CertInfo info, Request req) throws EProfileException
      Throws:
      EProfileException
    • getLocale

      public Locale getLocale(Request request)
    • populateInput

      public void populateInput(Map<String,String> ctx, Request request) throws Exception
      Populate input

      (either all "agent" profile cert requests NOT made through a connector, or all "EE" profile cert requests NOT made through a connector)

      • signed.audit LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST used when a profile cert request is made (before approval process)
      Overrides:
      populateInput in class Profile
      Parameters:
      ctx - profile context
      request - the certificate request
      Throws:
      Exception - an error related to this profile has occurred
    • populate

      public void populate(Request request) throws EProfileException
      Description copied from class: Profile
      Passes the request to the set of default policies that populate the profile information against the profile.
      Overrides:
      populate in class Profile
      Parameters:
      request - request
      Throws:
      EProfileException - failed to populate default values
    • validate

      public void validate(Request request) throws ERejectException
      Passes the request to the set of constraint policies that validate the request against the profile.
      Overrides:
      validate in class Profile
      Parameters:
      request - request
      Throws:
      ERejectException - validation violation
    • auditRequesterID

      protected String auditRequesterID(Request request)
      Signed Audit Log Requester ID This method is inherited by all extended "EnrollProfile"s, and is called to obtain the "RequesterID" for a signed audit log message.

      Parameters:
      request - the actual request
      Returns:
      id string containing the signed audit log message RequesterID
    • auditProfileID

      protected String auditProfileID()
      Signed Audit Log Profile ID This method is inherited by all extended "EnrollProfile"s, and is called to obtain the "ProfileID" for a signed audit log message.

      Returns:
      id string containing the signed audit log message ProfileID
    • verifyPOP

      public void verifyPOP(Locale locale, org.mozilla.jss.pkix.crmf.CertReqMsg certReqMsg) throws EProfileException, ECMCPopFailedException
      Throws:
      EProfileException
      ECMCPopFailedException