summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src/com/netscape
diff options
context:
space:
mode:
authorChristina Fu <cfu@redhat.com>2017-05-19 11:55:14 -0700
committerChristina Fu <cfu@redhat.com>2017-05-22 09:39:55 -0700
commit8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb (patch)
tree7c47fc7fe49d48c2a442bb386fc4372b2d630842 /base/server/cms/src/com/netscape
parent62841380c6400023cf973e273ab974352885fabd (diff)
downloadpki-8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb.tar.gz
pki-8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb.tar.xz
pki-8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb.zip
Ticket#2618 feature: pre-signed CMC renewal request
This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten. The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
Diffstat (limited to 'base/server/cms/src/com/netscape')
-rw-r--r--base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java26
-rw-r--r--base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java123
2 files changed, 112 insertions, 37 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
index d1403962e..a5f7994b7 100644
--- a/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
@@ -87,14 +87,16 @@ public class RenewGracePeriodConstraint extends EnrollConstraint {
public void validate(IRequest req, X509CertInfo info)
throws ERejectException {
+ String method = "RenewGracePeriodConstraint: validate: ";
+ String msg = "";
+
String origExpDate_s = req.getExtDataInString("origNotAfter");
- // probably not for renewal
- if (origExpDate_s == null) {
+ if (origExpDate_s == null) { // probably not for renewal
+ CMS.debug(method + " original cert expiration date not found...return without validation");
return;
- } else {
- CMS.debug("validate RenewGracePeriod: original cert expiration date found... renewing");
+ } else { //should occur when it's renewal
+ CMS.debug(method + " original cert expiration date found... validating");
}
- CMS.debug("ValidilityConstraint: validateRenewGraceperiod begins");
BigInteger origExpDate_BI = new BigInteger(origExpDate_s);
Date origExpDate = new Date(origExpDate_BI.longValue());
String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE);
@@ -122,7 +124,7 @@ public class RenewGracePeriodConstraint extends EnrollConstraint {
Date current = CMS.getCurrentDate();
long millisDiff = origExpDate.getTime() - current.getTime();
- CMS.debug("validateRenewGracePeriod: millisDiff="
+ CMS.debug(method + " millisDiff="
+ millisDiff + " origExpDate=" + origExpDate.getTime() + " current=" + current.getTime());
/*
@@ -134,17 +136,17 @@ public class RenewGracePeriodConstraint extends EnrollConstraint {
*/
if (millisDiff >= 0) {
if ((renew_grace_before > 0) && (millisDiff > renew_grace_before_BI.longValue())) {
+ msg = renew_grace_before + " days before and " +
+ renew_grace_after + " days after original cert expiration date";
throw new ERejectException(CMS.getUserMessage(getLocale(req),
- "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD",
- renew_grace_before + " days before and " +
- renew_grace_after + " days after original cert expiration date"));
+ "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", msg));
}
} else {
if ((renew_grace_after > 0) && ((0 - millisDiff) > renew_grace_after_BI.longValue())) {
+ msg = renew_grace_before + " days before and " +
+ renew_grace_after + " days after original cert expiration date";
throw new ERejectException(CMS.getUserMessage(getLocale(req),
- "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD",
- renew_grace_before + " days before and " +
- renew_grace_after + " days after original cert expiration date"));
+ "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", msg));
}
}
}
diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
index 869f0e2cc..33cc7a9c6 100644
--- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
@@ -17,16 +17,11 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.profile.constraint;
+import java.math.BigInteger;
+import java.util.Date;
import java.util.Enumeration;
import java.util.Locale;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateX509Key;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509Key;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.ca.ICertificateAuthority;
@@ -41,6 +36,13 @@ import com.netscape.certsrv.property.IDescriptor;
import com.netscape.certsrv.request.IRequest;
import com.netscape.cms.profile.def.NoDefault;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
/**
* This constraint is to check for publickey uniqueness.
* The config param "allowSameKeyRenewal" enables the
@@ -102,9 +104,29 @@ public class UniqueKeyConstraint extends EnrollConstraint {
/**
* Validates the request. The request is not modified
* during the validation.
+ *
+ * It will try to capture orig cert expiration info for renewal later.
+ * Renewal can be either renewal with same key or new key.
+ *
+ * In case of renewing with same key, the old cert record
+ * can be retrieved and used to fill original info such as
+ * original expiration date for use with RenewGracePeriodConstraint.
+ *
+ * In case of renewing with new key, it would be no different from
+ * regular enrollment
+ *
+ * Search by ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA
+ * would tell us if its reusing the same key or not.
+ * If any cert with the same key in the repository is found
+ * to be revoked, then the request is rejected
+ *
+ * This contraint has to go before the RenewGracePeriodConstraint,
+ * but after any of the SubjectName Default and Constraint
*/
public void validate(IRequest request, X509CertInfo info)
throws ERejectException {
+ String method = "UniqueKeyConstraint: validate: ";
+ String msg = "";
boolean rejected = false;
int size = 0;
ICertRecordList list;
@@ -114,6 +136,8 @@ public class UniqueKeyConstraint extends EnrollConstraint {
getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT);
*/
mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL);
+ msg = msg + ": allowSameKeyRenewal=" + mAllowSameKeyRenewal + ";";
+ CMS.debug(method + msg);
try {
CertificateX509Key infokey = (CertificateX509Key)
@@ -131,18 +155,18 @@ public class UniqueKeyConstraint extends EnrollConstraint {
} catch (Exception e) {
throw new ERejectException(
- CMS.getUserMessage(
- getLocale(request),
- "CMS_PROFILE_INTERNAL_ERROR", e.toString()));
+ CMS.getUserMessage(
+ getLocale(request),
+ "CMS_PROFILE_INTERNAL_ERROR", method + e.toString()));
}
/*
* It does not matter if the corresponding cert's status
- * is valid or not, we don't want a key that was once
- * generated before
+ * is valid or not, if mAllowSameKeyRenewal is false,
+ * we don't want a key that was once generated before
*/
if (size > 0) {
- CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key.");
+ CMS.debug(method + "found existing cert with same key");
/*
The following code revokes the existing certs that have
@@ -189,45 +213,94 @@ public class UniqueKeyConstraint extends EnrollConstraint {
sjname_in_req =
(X500Name) subName.get(CertificateSubjectName.DN_NAME);
- CMS.debug("UniqueKeyConstraint: cert request subject DN =" + sjname_in_req.toString());
+ CMS.debug(method +" cert request subject DN =" + sjname_in_req.toString());
Enumeration<ICertRecord> e = list.getCertRecords(0, size - 1);
+ Date latestOrigNotAfter = null;
+ Date origNotAfter = null;
+ boolean first = true;
while (e != null && e.hasMoreElements()) {
ICertRecord rec = e.nextElement();
- X509CertImpl cert = rec.getCertificate();
+ BigInteger serial = rec.getSerialNumber();
+
+ if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)
+ || rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) {
+ msg = msg + "revoked cert cannot be renewed: serial=" + serial.toString() + ";";
+ CMS.debug(method + msg);
+ rejected = true;
+ // this has to break
+ break;
+ }
+ if (!rec.getStatus().equals(ICertRecord.STATUS_VALID)
+ && !rec.getStatus().equals(ICertRecord.STATUS_EXPIRED)) {
+ CMS.debug(method + "invalid cert cannot be renewed; continue:" + serial.toString());
+ // can still find another one to renew
+ continue;
+ }
+ // only VALID or EXPIRED certs could have reached here
+ X509CertImpl origCert = rec.getCertificate();
String certDN =
- cert.getSubjectDN().toString();
- CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN =" + certDN);
+ origCert.getSubjectDN().toString();
+ CMS.debug(method + " cert retrieved from ldap has subject DN =" + certDN);
sjname_in_db = new X500Name(certDN);
if (sjname_in_db.equals(sjname_in_req) == false) {
+ msg = msg + "subject name not match in same key renewal;";
rejected = true;
break;
} else {
- rejected = false;
+ CMS.debug("subject name match in same key renewal");
}
+
+ // find the latest expiration date to keep for
+ // Renewal Grace Period Constraint later
+ origNotAfter = origCert.getNotAfter();
+ CMS.debug(method + "origNotAfter =" + origNotAfter.toString());
+ if (first) {
+ latestOrigNotAfter = origNotAfter;
+ first = false;
+ } else if (latestOrigNotAfter.before(origNotAfter)) {
+ CMS.debug(method + "newer cert found");
+ latestOrigNotAfter = origNotAfter;
+ }
+
+ // yes, this could be overwritten by later
+ // found cert(s) that has violations
+ rejected = false;
} // while
+
+ if (latestOrigNotAfter != null) {
+ String existingOrigExpDate_s = request.getExtDataInString("origNotAfter");
+ if (existingOrigExpDate_s != null) {
+ // make sure not to interfere with renewal by serial
+ CMS.debug(method +
+ " original cert expiration date already exists. Not overriding.");
+ } else {
+ // set origNotAfter for RenewGracePeriodConstraint
+ CMS.debug(method + "setting latest original cert expiration in request");
+ request.setExtData("origNotAfter", BigInteger.valueOf(latestOrigNotAfter.getTime()));
+ }
+ }
} else { //subName is null
+ msg = msg +"subject name not found in cert request info;";
rejected = true;
}
} catch (Exception ex1) {
- CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: " + ex1.toString());
+ CMS.debug(method + msg + ex1.toString());
rejected = true;
} // try
} else {
+ msg = msg + "found existing cert with same key;";
rejected = true;
}// allowSameKeyRenewal
} // (size > 0)
if (rejected == true) {
- CMS.debug("UniqueKeyConstraint: rejected");
- throw new ERejectException(
- CMS.getUserMessage(
- getLocale(request),
- "CMS_PROFILE_DUPLICATE_KEY"));
+ CMS.debug(method + " rejected");
+ throw new ERejectException(msg);
} else {
- CMS.debug("UniqueKeyConstraint: approved");
+ CMS.debug(method + " approved");
}
}
generated by cgit (git 2.34.1) at 2024-06-23 12:34:50 +0000