diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2014-12-02 17:25:55 -0500 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2014-12-15 11:57:07 -0500 |
| commit | 5d82ad42001875e28a48ba374d4a467c9ec91f5c (patch) | |
| tree | 2c32fd69b42077d8fa424ffa8194f4bcddc3f6d6 /base/server/cms/src/com/netscape/cms/profile/constraint | |
| parent | aab703ab457ff02d8623933a15574a556dae5e99 (diff) | |
| download | pki-5d82ad42001875e28a48ba374d4a467c9ec91f5c.tar.gz pki-5d82ad42001875e28a48ba374d4a467c9ec91f5c.tar.xz pki-5d82ad42001875e28a48ba374d4a467c9ec91f5c.zip | |
Added rangeUnit property to certificate profiles.
A new optional property has been added to certificate profiles to
specify the range unit. The default range unit is 'day'. The code
has been modified to use the Calendar API to calculate the end of
validity range based on the range unit.
https://fedorahosted.org/pki/ticket/1226
Diffstat (limited to 'base/server/cms/src/com/netscape/cms/profile/constraint')
| -rw-r--r-- | base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java | 34 | ||||
| -rw-r--r-- | base/server/cms/src/com/netscape/cms/profile/constraint/ValidityConstraint.java | 70 |
2 files changed, 84 insertions, 20 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java index eb3eb14f6..96b29d669 100644 --- a/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java +++ b/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java @@ -88,18 +88,36 @@ public abstract class EnrollConstraint implements IPolicyConstraint { } public String getConfig(String name) { + return getConfig(name, ""); + } + + /** + * Get constraint parameter in profile configuration. + * + * @param name parameter name + * @param defval default value if parameter does not exist + * @return parameter value if exists, defval if does not exist, or null if error occured + */ + public String getConfig(String name, String defval) { + + if (mConfig == null) { + CMS.debug("Error: Missing profile configuration"); + return null; + } + + IConfigStore params = mConfig.getSubStore("params"); + if (params == null) { + CMS.debug("Error: Missing constraint parameters"); + return null; + } + try { - if (mConfig == null) - return null; - if (mConfig.getSubStore("params") != null) { - String val = mConfig.getSubStore("params").getString(name); + return params.getString(name, defval); - return val; - } } catch (EBaseException e) { - CMS.debug(e.toString()); + CMS.debug(e); + return null; } - return ""; } public void init(IProfile profile, IConfigStore config) diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/ValidityConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/ValidityConstraint.java index accbd9d2d..eaf0b3bbf 100644 --- a/base/server/cms/src/com/netscape/cms/profile/constraint/ValidityConstraint.java +++ b/base/server/cms/src/com/netscape/cms/profile/constraint/ValidityConstraint.java @@ -18,6 +18,7 @@ package com.netscape.cms.profile.constraint; import java.io.IOException; +import java.util.Calendar; import java.util.Date; import java.util.Locale; @@ -50,6 +51,7 @@ import com.netscape.cms.profile.def.ValidityDefault; public class ValidityConstraint extends EnrollConstraint { public static final String CONFIG_RANGE = "range"; + public static final String CONFIG_RANGE_UNIT = "rangeUnit"; public static final String CONFIG_NOT_BEFORE_GRACE_PERIOD = "notBeforeGracePeriod"; public static final String CONFIG_CHECK_NOT_BEFORE = "notBeforeCheck"; public static final String CONFIG_CHECK_NOT_AFTER = "notAfterCheck"; @@ -58,6 +60,7 @@ public class ValidityConstraint extends EnrollConstraint { public ValidityConstraint() { super(); addConfigName(CONFIG_RANGE); + addConfigName(CONFIG_RANGE_UNIT); addConfigName(CONFIG_NOT_BEFORE_GRACE_PERIOD); addConfigName(CONFIG_CHECK_NOT_BEFORE); addConfigName(CONFIG_CHECK_NOT_AFTER); @@ -86,6 +89,9 @@ public class ValidityConstraint extends EnrollConstraint { if (name.equals(CONFIG_RANGE)) { return new Descriptor(IDescriptor.INTEGER, null, "365", CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE")); + } else if (name.equals(CONFIG_RANGE_UNIT)) { + return new Descriptor(IDescriptor.STRING, null, "day", + CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE_UNIT")); } else if (name.equals(CONFIG_NOT_BEFORE_GRACE_PERIOD)) { return new Descriptor(IDescriptor.INTEGER, null, "0", CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD")); @@ -99,33 +105,57 @@ public class ValidityConstraint extends EnrollConstraint { return null; } + public int convertRangeUnit(String unit) throws Exception { + + if (unit.equals("year")) { + return Calendar.YEAR; + + } else if (unit.equals("month")) { + return Calendar.MONTH; + + } else if (unit.equals("day")) { + return Calendar.DAY_OF_YEAR; + + } else if (unit.equals("hour")) { + return Calendar.HOUR_OF_DAY; + + } else if (unit.equals("minute")) { + return Calendar.MINUTE; + + } else { + throw new Exception("Invalid range unit: " + unit); + } + } + /** * Validates the request. The request is not modified * during the validation. */ public void validate(IRequest request, X509CertInfo info) throws ERejectException { - CertificateValidity v = null; + CertificateValidity v; try { v = (CertificateValidity) info.get(X509CertInfo.VALIDITY); } catch (Exception e) { throw new ERejectException(CMS.getUserMessage(getLocale(request), "CMS_PROFILE_VALIDITY_NOT_FOUND")); } - Date notBefore = null; + Date notBefore; try { notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE); + CMS.debug("ValidityConstraint: not before: " + notBefore); } catch (IOException e) { CMS.debug("ValidityConstraint: not before not found"); throw new ERejectException(CMS.getUserMessage(getLocale(request), "CMS_PROFILE_VALIDITY_NOT_FOUND")); } - Date notAfter = null; + Date notAfter; try { notAfter = (Date) v.get(CertificateValidity.NOT_AFTER); + CMS.debug("ValidityConstraint: not after: " + notAfter); } catch (IOException e) { CMS.debug("ValidityConstraint: not after not found"); throw new ERejectException(CMS.getUserMessage(getLocale(request), @@ -138,18 +168,34 @@ public class ValidityConstraint extends EnrollConstraint { "CMS_PROFILE_NOT_AFTER_BEFORE_NOT_BEFORE")); } - long millisDiff = notAfter.getTime() - notBefore.getTime(); - CMS.debug("ValidityConstraint: millisDiff=" - + millisDiff + " notAfter=" + notAfter.getTime() + " notBefore=" + notBefore.getTime()); - long long_days = (millisDiff / 1000) / 86400; - CMS.debug("ValidityConstraint: long_days: " + long_days); - int days = (int) long_days; - CMS.debug("ValidityConstraint: days: " + days); + String rangeStr = getConfig(CONFIG_RANGE, "365"); + CMS.debug("ValidityConstraint: range: " + rangeStr); + int range = Integer.parseInt(rangeStr); + + String rangeUnitStr = getConfig(CONFIG_RANGE_UNIT, "day"); + CMS.debug("ValidityConstraint: range unit: " + rangeUnitStr); + + int rangeUnit; + try { + rangeUnit = convertRangeUnit(rangeUnitStr); + } catch (Exception e) { + throw new ERejectException(CMS.getUserMessage(getLocale(request), + "CMS_PROFILE_VALIDITY_INVALID_RANGE_UNIT", + rangeUnitStr)); + } + + // calculate the end of validity range + Calendar date = Calendar.getInstance(); + date.setTime(notBefore); + date.add(rangeUnit, range); + + Date limit = date.getTime(); + CMS.debug("ValidityConstraint: limit: " + limit); - if (days > Integer.parseInt(getConfig(CONFIG_RANGE))) { + if (notAfter.after(limit)) { throw new ERejectException(CMS.getUserMessage(getLocale(request), "CMS_PROFILE_VALIDITY_OUT_OF_RANGE", - Integer.toString(days))); + notAfter.toString(), limit.toString())); } // 613828 |