diff options
| author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-05-16 22:52:07 +0000 |
|---|---|---|
| committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-05-16 22:52:07 +0000 |
| commit | 90757db515f3df2e2418fe053318cfe5ad324604 (patch) | |
| tree | 4ffb47ebf11689be0b07b1b4f30cef2d0da54434 | |
| parent | 7d8bb23be55ebd26682b27e9bf523d1f76c1cdd6 (diff) | |
| download | pki-90757db515f3df2e2418fe053318cfe5ad324604.tar.gz pki-90757db515f3df2e2418fe053318cfe5ad324604.tar.xz pki-90757db515f3df2e2418fe053318cfe5ad324604.zip | |
Bugzilla 580203 - Existing renewals generate CA certificates with validity limited by current
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1101 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
9 files changed, 408 insertions, 19 deletions
diff --git a/pki/base/ca/shared/conf/caCert.profile b/pki/base/ca/shared/conf/caCert.profile index e80afc1cc..3e9c83613 100644 --- a/pki/base/ca/shared/conf/caCert.profile +++ b/pki/base/ca/shared/conf/caCert.profile @@ -7,9 +7,9 @@ description=This profile creates a CA certificate that is valid for all signing profileIDMapping=caCACert profileSetIDMapping=caCertSet list=2,4,5,6,7,8 -2.default.class=com.netscape.cms.profile.def.ValidityDefault -2.default.name=Validity Default -2.default.params.range=720 +2.default.class=com.netscape.cms.profile.def.CAValidityDefault +2.default.name=CA Certificate Validity Default +2.default.params.range=2922 2.default.params.startTime=0 4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault 4.default.name=Authority Key Identifier Default diff --git a/pki/base/ca/shared/conf/registry.cfg b/pki/base/ca/shared/conf/registry.cfg index 5cb40faba..f99c43653 100644 --- a/pki/base/ca/shared/conf/registry.cfg +++ b/pki/base/ca/shared/conf/registry.cfg @@ -39,7 +39,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint -defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl +defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default @@ -115,6 +115,9 @@ defaultPolicy.subjectNameDefaultImpl.name=Subject Name Default defaultPolicy.validityDefaultImpl.class=com.netscape.cms.profile.def.ValidityDefault defaultPolicy.validityDefaultImpl.desc=Validty Default defaultPolicy.validityDefaultImpl.name=Validity Default +defaultPolicy.caValidityDefaultImpl.class=com.netscape.cms.profile.def.CAValidityDefault +defaultPolicy.caValidityDefaultImpl.desc=CA Certificate Validty Default +defaultPolicy.caValidityDefaultImpl.name=CA Certificate Validity Default defaultPolicy.subjectInfoAccessExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectInfoAccessExtDefault defaultPolicy.subjectInfoAccessExtDefaultImpl.desc=Subject Info Access Extension Default defaultPolicy.subjectInfoAccessExtDefaultImpl.name=Subject Info Access Extension Default diff --git a/pki/base/ca/shared/profiles/ca/caCACert.cfg b/pki/base/ca/shared/profiles/ca/caCACert.cfg index 6438406e3..37c511fb3 100644 --- a/pki/base/ca/shared/profiles/ca/caCACert.cfg +++ b/pki/base/ca/shared/profiles/ca/caCACert.cfg @@ -20,12 +20,12 @@ policyset.caCertSet.1.default.name=Subject Name Default policyset.caCertSet.1.default.params.name= policyset.caCertSet.2.constraint.class_id=validityConstraintImpl policyset.caCertSet.2.constraint.name=Validity Constraint -policyset.caCertSet.2.constraint.params.range=720 +policyset.caCertSet.2.constraint.params.range=2922 policyset.caCertSet.2.constraint.params.notBeforeCheck=false policyset.caCertSet.2.constraint.params.notAfterCheck=false -policyset.caCertSet.2.default.class_id=validityDefaultImpl -policyset.caCertSet.2.default.name=Validity Default -policyset.caCertSet.2.default.params.range=720 +policyset.caCertSet.2.default.class_id=caValidityDefaultImpl +policyset.caCertSet.2.default.name=CA Certificate Validity Default +policyset.caCertSet.2.default.params.range=2922 policyset.caCertSet.2.default.params.startTime=0 policyset.caCertSet.3.constraint.class_id=keyConstraintImpl policyset.caCertSet.3.constraint.name=Key Constraint diff --git a/pki/base/ca/src/com/netscape/ca/CAService.java b/pki/base/ca/src/com/netscape/ca/CAService.java index 0361006a2..a63391d2e 100644 --- a/pki/base/ca/src/com/netscape/ca/CAService.java +++ b/pki/base/ca/src/com/netscape/ca/CAService.java @@ -615,15 +615,46 @@ public class CAService implements ICAService, IService { Debug.trace("setting default validity"); } - // set to CA's not after if default validity - // exceeds ca's not after. begin = CMS.getCurrentDate(); end = new Date(begin.getTime() + mCA.getDefaultValidity()); certi.set(CertificateValidity.NAME, new CertificateValidity(begin, end)); } - // check if validity exceeds CA time. + /* + * For non-CA certs, check if validity exceeds CA time. + * If so, set to CA's not after if default validity + * exceeds ca's not after. + */ + + // First find out if it is a CA cert + boolean is_ca = false; + CertificateExtensions exts = null; + BasicConstraintsExtension bc_ext = null; + + try { + exts = (CertificateExtensions) + certi.get(X509CertInfo.EXTENSIONS); + if (exts != null) { + Enumeration e = exts.getElements(); + + while (e.hasMoreElements()) { + Extension ext = (Extension) e.nextElement(); + + if (ext.getExtensionId().toString().equals(PKIXExtensions.BasicConstraints_Id.toString())) { + bc_ext = (BasicConstraintsExtension) ext; + } + } + + if(bc_ext != null) { + Boolean isCA = (Boolean) bc_ext.get(BasicConstraintsExtension.IS_CA); + is_ca = isCA.booleanValue(); + } + } // exts != null + } catch (Exception e) { + CMS.debug("EnrollDefault: getExtension " + e.toString()); + } + Date caNotAfter = mCA.getSigningUnit().getCertImpl().getNotAfter(); @@ -631,13 +662,21 @@ public class CAService implements ICAService, IService { mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_PAST_VALIDITY")); throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_BEGIN_AFTER_CA_VALIDITY")); } - if (!mCA.isEnablePastCATime()) { - if (end.after(caNotAfter)) { - end = caNotAfter; - certi.set(CertificateValidity.NAME, - new CertificateValidity(begin, caNotAfter)); - mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_PAST_NOT_AFTER")); - } + + if (end.after(caNotAfter)) { + if(!is_ca) { + if (!mCA.isEnablePastCATime()) { + end = caNotAfter; + certi.set(CertificateValidity.NAME, + new CertificateValidity(begin, caNotAfter)); + CMS.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime != true...resetting"); + } else { + CMS.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime = true...not resetting"); + } + } else { + CMS.debug("CAService: issueX509Cert: CA cert issuance past CA's NOT_AFTER."); + } //!is_ca + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_PAST_NOT_AFTER")); } // check algorithm in certinfo. diff --git a/pki/base/common/src/UserMessages_en.properties b/pki/base/common/src/UserMessages_en.properties index 025a1d599..b3439fe77 100644 --- a/pki/base/common/src/UserMessages_en.properties +++ b/pki/base/common/src/UserMessages_en.properties @@ -824,6 +824,7 @@ CMS_PROFILE_VALIDITY_CHECK_NOT_AFTER=Check Not After against Not Before CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD=Grace period for Not Before being set in the future (in seconds). CMS_PROFILE_VALIDITY_RANGE=Validity Range (in days) CMS_PROFILE_VALIDITY_START_TIME=Relative Start Time (in seconds) +CMS_PROFILE_BYPASS_CA_NOTAFTER=Bypass CA notAfter constraint CMS_PROFILE_VALIDITY_OUT_OF_RANGE=Validity Out of Range {0} days CMS_PROFILE_RENEW_GRACE_BEFORE=Renewal Grace Period Before CMS_PROFILE_RENEW_GRACE_AFTER=Renewal Grace Period After diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java index 8d26b619d..2f0f66ad2 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java @@ -127,6 +127,8 @@ public class CAValidityConstraint extends CAEnrollConstraint { return true; if (def instanceof ValidityDefault) return true; + if (def instanceof CAValidityDefault) + return true; return false; } } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java index 7bff5f67a..ca13de3bc 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java @@ -202,6 +202,8 @@ public class ValidityConstraint extends EnrollConstraint { return true; if (def instanceof ValidityDefault) return true; + if (def instanceof CAValidityDefault) + return true; return false; } } diff --git a/pki/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java b/pki/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java new file mode 100644 index 000000000..f298238b0 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java @@ -0,0 +1,342 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + + +import java.io.*; +import java.text.*; +import java.util.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.apps.*; +import com.netscape.cms.profile.common.*; + +import netscape.security.x509.*; + + +/** + * This class implements a CA signing cert enrollment default policy + * that populates a server-side configurable validity + * into the certificate template. + * It allows an agent to bypass the CA's signing cert's expiration constraint + */ +public class CAValidityDefault extends EnrollDefault { + public static final String CONFIG_RANGE = "range"; + public static final String CONFIG_START_TIME = "startTime"; + public static final String CONFIG_BYPASS_CA_NOTAFTER= "bypassCAnotafter"; + + public static final String VAL_NOT_BEFORE = "notBefore"; + public static final String VAL_NOT_AFTER = "notAfter"; + public static final String VAL_BYPASS_CA_NOTAFTER= "bypassCAnotafter"; + + public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss"; + + private long mDefault = 86400000; // 1 days + public ICertificateAuthority mCA = null; + + public CAValidityDefault() { + super(); + addConfigName(CONFIG_RANGE); + addConfigName(CONFIG_START_TIME); + addConfigName(CONFIG_BYPASS_CA_NOTAFTER); + + addValueName(VAL_NOT_BEFORE); + addValueName(VAL_NOT_AFTER); + addValueName(VAL_BYPASS_CA_NOTAFTER); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mCA = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_RANGE)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + } else if (name.equals(CONFIG_START_TIME)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_START_TIME)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_RANGE)) { + return new Descriptor(IDescriptor.STRING, + null, + "2922", /* 8 years */ + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_RANGE")); + } else if (name.equals(CONFIG_START_TIME)) { + return new Descriptor(IDescriptor.STRING, + null, + "60", /* 1 minute */ + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_START_TIME")); + } else if (name.equals(CONFIG_BYPASS_CA_NOTAFTER)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_BYPASS_CA_NOTAFTER")); + + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NOT_BEFORE)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE")); + } else if (name.equals(VAL_NOT_AFTER)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER")); + } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_BYPASS_CA_NOTAFTER")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (value == null || value.equals("")) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + CMS.debug("CAValidityDefault: setValue name= "+ name); + + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_BEFORE, + date); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_AFTER, + date); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) { + boolean bypassCAvalidity = Boolean.valueOf(value).booleanValue(); + CMS.debug("CAValidityDefault: setValue: bypassCAvalidity="+ bypassCAvalidity); + + BasicConstraintsExtension ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + + if(ext == null) { + CMS.debug("CAValidityDefault: setValue: this default cannot be applied to non-CA cert."); + return; + } + try { + Boolean isCA = (Boolean) ext.get(BasicConstraintsExtension.IS_CA); + if(isCA.booleanValue() != true) { + CMS.debug("CAValidityDefault: setValue: this default cannot be aplied to non-CA cert."); + return; + } + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue: this default cannot be aplied to non-CA cert."+ e.toString()); + return; + } + + CertificateValidity validity = null; + Date notAfter = null; + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + notAfter = (Date) validity.get(CertificateValidity.NOT_AFTER); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + // not to exceed CA's expiration + Date caNotAfter = + mCA.getSigningUnit().getCertImpl().getNotAfter(); + + if (notAfter.after(caNotAfter)) { + if (bypassCAvalidity == false) { + notAfter = caNotAfter; + CMS.debug("CAValidityDefault: setValue: bypassCAvalidity off. reset notAfter to caNotAfter. reset "); + } else { + CMS.debug("CAValidityDefault: setValue: bypassCAvalidity on. notAfter is after caNotAfter. no reset"); + } + } + try { + validity.set(CertificateValidity.NOT_AFTER, + notAfter); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + + if (name == null) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + + CMS.debug("CAValidityDefault: getValue: name= "+ name); + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_BEFORE)); + } catch (Exception e) { + CMS.debug("CAValidityDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_AFTER)); + } catch (Exception e) { + CMS.debug("CAValidityDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) { + return "false"; + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_RANGE), + getConfig(CONFIG_BYPASS_CA_NOTAFTER) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_VALIDITY", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + + // always + 60 seconds + String startTimeStr = getConfig(CONFIG_START_TIME); + try { + startTimeStr = mapPattern(request, startTimeStr); + } catch (IOException e) { + CMS.debug("CAValidityDefault: populate " + e.toString()); + } + + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } + int startTime = Integer.parseInt(startTimeStr); + Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); + long notAfterVal = 0; + + try { + String rangeStr = getConfig(CONFIG_RANGE); + rangeStr = mapPattern(request, rangeStr); + notAfterVal = notBefore.getTime() + + (mDefault * Integer.parseInt(rangeStr)); + } catch (Exception e) { + // configured value is not correct + CMS.debug("CAValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + Date notAfter = new Date(notAfterVal); + + CertificateValidity validity = + new CertificateValidity(notBefore, notAfter); + + try { + info.set(X509CertInfo.VALIDITY, validity); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("CAValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", X509CertInfo.VALIDITY)); + } + } +} diff --git a/pki/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java b/pki/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java index 995f0efac..732e85d6c 100644 --- a/pki/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java +++ b/pki/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java @@ -86,7 +86,7 @@ public class ValidityDefault extends EnrollDefault { if (name.equals(CONFIG_RANGE)) { return new Descriptor(IDescriptor.STRING, null, - "180", + "2922", CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE")); } else if (name.equals(CONFIG_START_TIME)) { |