Clean up log messages in UniqueSubjectNameConstraint

dogtagpki · Sep 29, 2023 · fa9b952 · fa9b952
1 parent 060bf0e
commit fa9b952
Showing 1 changed file with 41 additions and 17 deletions.
diff --git a/base/ca/src/main/java/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java b/base/ca/src/main/java/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java
@@ -33,9 +33,12 @@
 import org.mozilla.jss.netscape.security.x509.X509CertInfo;
 
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.certdb.CertId;
+import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.ERejectException;
 import com.netscape.certsrv.property.Descriptor;
 import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.cms.profile.common.PolicyConstraintConfig;
 import com.netscape.cms.profile.def.NoDefault;
 import com.netscape.cms.profile.def.PolicyDefault;
 import com.netscape.cms.profile.def.SubjectNameDefault;
@@ -51,8 +54,6 @@
  * It checks if the subject name in the certificate is
  * unique in the internal database, ie, no two certificates
  * have the same subject name.
- *
- * @version $Revision$, $Date$
  */
 public class UniqueSubjectNameConstraint extends EnrollConstraint {
 
@@ -66,6 +67,13 @@ public UniqueSubjectNameConstraint() {
         addConfigName(CONFIG_KEY_USAGE_EXTENSION_CHECKING);
     }
 
+    public void init(PolicyConstraintConfig config) throws EProfileException {
+        super.init(config);
+
+        mKeyUsageExtensionChecking = getConfigBoolean(CONFIG_KEY_USAGE_EXTENSION_CHECKING);
+        logger.info("UniqueSubjectNameConstraint: Key usage extension checking: " + mKeyUsageExtensionChecking);
+    }
+
     @Override
     public IDescriptor getConfigDescriptor(Locale locale, String name) {
         if (name.equals(CONFIG_KEY_USAGE_EXTENSION_CHECKING)) {
@@ -143,38 +151,51 @@ private boolean sameKeyUsageExtension(CertRecord rec,
     @Override
     public void validate(Request request, X509CertInfo info)
             throws ERejectException {
-        logger.debug("UniqueSubjectNameConstraint: validate start");
-        CertificateSubjectName sn = null;
-
-        CAEngine engine = CAEngine.getInstance();
-        CertificateRepository certdb = engine.getCertificateRepository();
-
-        mKeyUsageExtensionChecking = getConfigBoolean(CONFIG_KEY_USAGE_EXTENSION_CHECKING);
 
+        CertificateSubjectName sn;
         try {
             sn = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
         } catch (Exception e) {
             throw new ERejectException(
                     CMS.getUserMessage(getLocale(request),
-                            "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+                            "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"), e);
         }
 
-        String certsubjectname = null;
+        logger.info("UniqueSubjectNameConstraint: Validating " + sn);
+
         if (sn == null)
             throw new ERejectException(
                     CMS.getUserMessage(getLocale(request),
                             "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
-        certsubjectname = sn.toString();
+
+        CAEngine engine = CAEngine.getInstance();
+        CertificateRepository certdb = engine.getCertificateRepository();
+
+        String certsubjectname = sn.toString();
         String filter = "x509Cert.subject=" + certsubjectname;
+        logger.info("UniqueSubjectNameConstraint: Searching for " + filter);
+
         Enumeration<CertRecord> sameSubjRecords = null;
         try {
             sameSubjRecords = certdb.findCertRecords(filter);
         } catch (EBaseException e) {
-            logger.warn("UniqueSubjectNameConstraint exception: " + e.getMessage(), e);
+            logger.warn("UniqueSubjectNameConstraint: " + e.getMessage(), e);
+            throw new ERejectException(e);
         }
+
+        logger.info("UniqueSubjectNameConstraint: Results: ");
+
         while (sameSubjRecords != null && sameSubjRecords.hasMoreElements()) {
             CertRecord rec = sameSubjRecords.nextElement();
+            logger.info("UniqueSubjectNameConstraint: - serial number: " + new CertId(rec.getSerialNumber()).toHexString());
+
             String status = rec.getStatus();
+            logger.info("UniqueSubjectNameConstraint:   status: " + status);
+
+            if (status.equals(CertRecord.STATUS_EXPIRED) || status.equals(CertRecord.STATUS_REVOKED_EXPIRED)) {
+                logger.info("UniqueSubjectNameConstraint:   expired -> skip");
+                continue;
+            }
 
             RevocationInfo revocationInfo = rec.getRevocationInfo();
             RevocationReason reason = null;
@@ -193,27 +214,30 @@ public void validate(Request request, X509CertInfo info)
                         }
                     }
                 }
-            }
 
-            if (status.equals(CertRecord.STATUS_EXPIRED) || status.equals(CertRecord.STATUS_REVOKED_EXPIRED)) {
-                continue;
+                logger.info("UniqueSubjectNameConstraint:   reason: " + reason);
             }
 
             if (status.equals(CertRecord.STATUS_REVOKED) && reason != null &&
                     (!reason.equals(RevocationReason.CERTIFICATE_HOLD))) {
+                logger.info("UniqueSubjectNameConstraint:   revoked -> skip");
                 continue;
             }
 
             if (mKeyUsageExtensionChecking && !sameKeyUsageExtension(rec, info)) {
+                logger.info("UniqueSubjectNameConstraint:   different key usage -> skip");
                 continue;
             }
 
+            logger.error("UniqueSubjectNameConstraint: Subject name is not unique");
+
             throw new ERejectException(
                     CMS.getUserMessage(getLocale(request),
                             "CMS_PROFILE_SUBJECT_NAME_NOT_UNIQUE",
                             certsubjectname));
         }
-        logger.debug("UniqueSubjectNameConstraint: validate end");
+
+        logger.info("UniqueSubjectNameConstraint: Subject name is unique");
     }
 
     @Override