001/*
002 * Copyright 2021-2022 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright 2021-2022 Ping Identity Corporation
007 *
008 * Licensed under the Apache License, Version 2.0 (the "License");
009 * you may not use this file except in compliance with the License.
010 * You may obtain a copy of the License at
011 *
012 *    http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing, software
015 * distributed under the License is distributed on an "AS IS" BASIS,
016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
017 * See the License for the specific language governing permissions and
018 * limitations under the License.
019 */
020/*
021 * Copyright (C) 2021-2022 Ping Identity Corporation
022 *
023 * This program is free software; you can redistribute it and/or modify
024 * it under the terms of the GNU General Public License (GPLv2 only)
025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
026 * as published by the Free Software Foundation.
027 *
028 * This program is distributed in the hope that it will be useful,
029 * but WITHOUT ANY WARRANTY; without even the implied warranty of
030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
031 * GNU General Public License for more details.
032 *
033 * You should have received a copy of the GNU General Public License
034 * along with this program; if not, see <http://www.gnu.org/licenses>.
035 */
036package com.unboundid.ldap.sdk.unboundidds.extensions;
037
038
039
040import java.util.ArrayList;
041import java.util.List;
042
043import com.unboundid.asn1.ASN1Boolean;
044import com.unboundid.asn1.ASN1Element;
045import com.unboundid.asn1.ASN1OctetString;
046import com.unboundid.asn1.ASN1Sequence;
047import com.unboundid.ldap.sdk.Control;
048import com.unboundid.ldap.sdk.ExtendedRequest;
049import com.unboundid.ldap.sdk.ExtendedResult;
050import com.unboundid.ldap.sdk.LDAPConnection;
051import com.unboundid.ldap.sdk.LDAPException;
052import com.unboundid.ldap.sdk.ResultCode;
053import com.unboundid.util.Debug;
054import com.unboundid.util.NotMutable;
055import com.unboundid.util.NotNull;
056import com.unboundid.util.Nullable;
057import com.unboundid.util.StaticUtils;
058import com.unboundid.util.ThreadSafety;
059import com.unboundid.util.ThreadSafetyLevel;
060import com.unboundid.util.Validator;
061
062import static com.unboundid.ldap.sdk.unboundidds.extensions.ExtOpMessages.*;
063
064
065
066/**
067 * This class defines an extended request that may be used to request that a
068 * Ping Identity Directory Server instance (or related Ping Identity server
069 * product) replace its inter-server certificate.  The new certificate data may
070 * be contained in a key store file on the server filesystem or included in the
071 * extended request itself.
072 * <BR>
073 * <BLOCKQUOTE>
074 *   <B>NOTE:</B>  This class, and other classes within the
075 *   {@code com.unboundid.ldap.sdk.unboundidds} package structure, are only
076 *   supported for use against Ping Identity, UnboundID, and
077 *   Nokia/Alcatel-Lucent 8661 server products.  These classes provide support
078 *   for proprietary functionality or for external specifications that are not
079 *   considered stable or mature enough to be guaranteed to work in an
080 *   interoperable way with other types of LDAP servers.
081 * </BLOCKQUOTE>
082 * <BR>
083 * This extended request has an OID of 1.3.6.1.4.1.30221.2.6.69 and a value with
084 * the following encoding:
085 * <PRE>
086 *   ReplaceInterServerCertificateValue ::= SEQUENCE {
087 *     keyStoreContent           CHOICE {
088 *       keyStoreFile              [0] KeyStoreFileSequence,
089 *       keyStoreData              [1] KeyStoreDataSequence,
090 *       certificateData            [2] CertificateDataSequence,
091 *       ... },
092 *    skipCertificateValidation  [16] BOOLEAN DEFAULT FALSE,
093 *    ... }
094 *
095 *   KeyStoreFileSequence ::= SEQUENCE {
096 *     path                    [8]  OCTET STRING,
097 *     keyStorePIN             [9]  OCTET STRING,
098 *     privateKeyPIN           [10] OCTET STRING OPTIONAL,
099 *     keyStoreType            [11] OCTET STRING OPTIONAL,
100 *     sourceCertificateAlias  [12] OCTET STRING OPTIONAL,
101 *     ... }
102 *
103 *   KeyStoreDataSequence ::= SEQUENCE {
104 *     keyStoreData            [13] OCTET STRING,
105 *     keyStorePIN             [9]  OCTET STRING,
106 *     privateKeyPIN           [10]  OCTET STRING OPTIONAL,
107 *     keyStoreType            [11] OCTET STRING OPTIONAL,
108 *     sourceCertificateAlias  [12] OCTET STRING OPTIONAL,
109 *     ... }
110 *
111 *   CertificateDataSequence ::= SEQUENCE {
112 *     certificateChain  [14] SEQUENCE SIZE (1..MAX) OF OCTET STRING,
113 *     privateKey        [15] OCTET STRING OPTIONAL,
114 *     ... }
115 * </PRE>
116 * <BR><BR>
117 *
118 * @see  ReplaceInterServerCertificateExtendedResult
119 */
120@NotMutable()
121@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
122public final class ReplaceInterServerCertificateExtendedRequest
123       extends ExtendedRequest
124{
125  /**
126   * The OID (1.3.6.1.4.1.30221.2.6.69) for the replace inter-server certificate
127   * extended request.
128   */
129  @NotNull public static final String REPLACE_INTER_SERVER_CERT_REQUEST_OID =
130       "1.3.6.1.4.1.30221.2.6.69";
131
132
133
134  /**
135   * The BER type for the request value element that indicates whether to
136   * skip validation for the new certificate chain.
137   */
138  private static final byte TYPE_SKIP_CERT_VALIDATION = (byte) 0x90;
139
140
141
142  /**
143   * The serial version UID for this serializable class.
144   */
145  private static final long serialVersionUID = 2244751901271649579L;
146
147
148
149  // Indicates whether to skip validation for the new certificate chain.
150  private final boolean skipCertificateValidation;
151
152  // The object providing information about how the server should obtain the new
153  // inter-server certificate data.
154  @NotNull private final ReplaceCertificateKeyStoreContent keyStoreContent;
155
156
157
158  /**
159   * Creates a new replace inter-server certificate extended request with the
160   * provided information.
161   *
162   * @param  keyStoreContent
163   *              An object with information about how the server should obtain
164   *              the new inter-server certificate data.  It must not be
165   *              {@code null}.
166   * @param  skipCertificateValidation
167   *              Indicates whether to skip validation for the new certificate
168   *              chain.
169   * @param  requestControls
170   *              The set of controls to include in the extended request.  It
171   *              may be {@code null} or empty if no request controls should be
172   *              included.
173   */
174  public ReplaceInterServerCertificateExtendedRequest(
175              @NotNull final ReplaceCertificateKeyStoreContent keyStoreContent,
176              final boolean skipCertificateValidation,
177              @Nullable final Control... requestControls)
178  {
179    super(REPLACE_INTER_SERVER_CERT_REQUEST_OID,
180         encodeValue(keyStoreContent, skipCertificateValidation),
181         requestControls);
182
183    this.keyStoreContent = keyStoreContent;
184    this.skipCertificateValidation = skipCertificateValidation;
185  }
186
187
188
189  /**
190   * Encodes the provided information into an ASN.1 octet string suitable for
191   * use as the encoded value for a replace inter-server certificate extended
192   * request.
193   *
194   * @param  keyStoreContent
195   *              An object with information about how the server should obtain
196   *              the new inter-server certificate data.  It must not be
197   *              {@code null}.
198   * @param  skipCertificateValidation
199   *              Indicates whether to skip validation for the new certificate
200   *              chain.
201   *
202   * @return  An ASN.1 octet string containing the encoded request value.
203   */
204  @NotNull()
205  private static ASN1OctetString encodeValue(
206              @NotNull final ReplaceCertificateKeyStoreContent keyStoreContent,
207              final boolean skipCertificateValidation)
208  {
209    Validator.ensureNotNullWithMessage(keyStoreContent,
210         "ReplaceInterServerCertificateExtendedRequest.keyStoreContent must " +
211              "not be null.");
212
213    final List<ASN1Element> elements = new ArrayList<>();
214    elements.add(keyStoreContent.encode());
215
216    if (skipCertificateValidation)
217    {
218      elements.add(new ASN1Boolean(TYPE_SKIP_CERT_VALIDATION, true));
219    }
220
221    return new ASN1OctetString(new ASN1Sequence(elements).encode());
222  }
223
224
225
226  /**
227   * Creates a new replace inter-server certificate extended request that is
228   * decoded from the provided generic extended request.
229   *
230   * @param  request  The generic extended request to be decoded as a replace
231   *                  inter-server certificate extended request.  It must not be
232   *                  {@code null}.
233   *
234   * @throws  LDAPException  If a problem occurs while attempting to decode the
235   *                         provided extended request as a replace inter-server
236   *                         certificate request.
237   */
238  public ReplaceInterServerCertificateExtendedRequest(
239              @NotNull final ExtendedRequest request)
240         throws LDAPException
241  {
242    super(request);
243
244    final ASN1OctetString value = request.getValue();
245    if (value == null)
246    {
247      throw new LDAPException(ResultCode.DECODING_ERROR,
248           ERR_REPLACE_INTER_SERVER_CERT_REQ_NO_VALUE.get());
249    }
250
251    try
252    {
253      final ASN1Element[] elements =
254           ASN1Sequence.decodeAsSequence(value.getValue()).elements();
255      keyStoreContent = ReplaceCertificateKeyStoreContent.decode(elements[0]);
256
257      boolean skipValidation = false;
258      for (int i=1; i < elements.length; i++)
259      {
260        switch (elements[i].getType())
261        {
262          case TYPE_SKIP_CERT_VALIDATION:
263            skipValidation = elements[i].decodeAsBoolean().booleanValue();
264            break;
265        }
266      }
267
268      skipCertificateValidation = skipValidation;
269    }
270    catch (final Exception e)
271    {
272      Debug.debugException(e);
273      throw new LDAPException(ResultCode.DECODING_ERROR,
274         ERR_REPLACE_INTER_SERVER_CERT_DECODE_ERROR.get(
275              StaticUtils.getExceptionMessage(e)),
276           e);
277    }
278  }
279
280
281
282  /**
283   * Retrieves an object with information about how the server should obtain the
284   * new inter-server certificate data.
285   *
286   * @return  An object with information about how the server should obtain the
287   *          new inter-server certificate data.
288   */
289  @NotNull()
290  public ReplaceCertificateKeyStoreContent getKeyStoreContent()
291  {
292    return keyStoreContent;
293  }
294
295
296
297  /**
298   * Indicates whether the server should skip validation processing for the
299   * new certificate chain.
300   *
301   * @return  {@code true} if the server should skip validation processing for
302   *          the new certificate chain, or {@code false} if not.
303   */
304  public boolean skipCertificateValidation()
305  {
306    return skipCertificateValidation;
307  }
308
309
310
311  /**
312   * {@inheritDoc}
313   */
314  @Override()
315  @NotNull()
316  public ReplaceInterServerCertificateExtendedResult process(
317              @NotNull final LDAPConnection connection, final int depth)
318         throws LDAPException
319  {
320    final ExtendedResult extendedResponse = super.process(connection, depth);
321    return new ReplaceInterServerCertificateExtendedResult(extendedResponse);
322  }
323
324
325
326  /**
327   * {@inheritDoc}
328   */
329  @Override()
330  @NotNull()
331  public String getExtendedRequestName()
332  {
333    return INFO_REPLACE_INTER_SERVER_CERT_REQUEST_NAME.get();
334  }
335
336
337
338  /**
339   * {@inheritDoc}
340   */
341  @Override()
342  public void toString(@NotNull final StringBuilder buffer)
343  {
344    buffer.append("ReplaceInterServerCertificateExtendedRequest(oid='");
345    buffer.append(getOID());
346    buffer.append("', keyStoreContent=");
347    keyStoreContent.toString(buffer);
348    buffer.append(", skipCertificateValidation=");
349    buffer.append(skipCertificateValidation);
350
351    final Control[] controls = getControls();
352    if (controls.length > 0)
353    {
354      buffer.append(", controls={");
355      for (int i=0; i < controls.length; i++)
356      {
357        if (i > 0)
358        {
359          buffer.append(", ");
360        }
361
362        buffer.append(controls[i]);
363      }
364      buffer.append('}');
365    }
366
367    buffer.append(')');
368  }
369}