diff options
author | Christina Fu <cfu@redhat.com> | 2016-06-28 18:00:03 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2016-06-29 09:13:42 -0700 |
commit | 659c90869a27871eda27fd730d00b0499873dae2 (patch) | |
tree | 7539d09a771fd8eac5f9b0cbcc071a92367200c2 /base/server/cms/src/com | |
parent | dabe965786bbb367ea04f131d8f4ad2167b3f1cd (diff) | |
download | pki-659c90869a27871eda27fd730d00b0499873dae2.tar.gz pki-659c90869a27871eda27fd730d00b0499873dae2.tar.xz pki-659c90869a27871eda27fd730d00b0499873dae2.zip |
Ticket 2389 Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA
This patch implements validity check on the notAfter value of the certInfo
and adjusts it to that of the CA's notAfter if exceeding
Diffstat (limited to 'base/server/cms/src/com')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java | 23 | ||||
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java | 3 |
2 files changed, 26 insertions, 0 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java index 634d07093..21ec8ea73 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java @@ -26,6 +26,7 @@ import java.util.Locale; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.profile.EProfileException; import com.netscape.certsrv.profile.IProfile; import com.netscape.certsrv.property.Descriptor; @@ -34,6 +35,7 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; import netscape.security.x509.CertificateValidity; +import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; /** @@ -301,6 +303,27 @@ public class ValidityDefault extends EnrollDefault { Date notAfter = date.getTime(); CMS.debug("ValidityDefault: not after: " + notAfter); + // check and fix notAfter if needed + // installAdjustValidity is set during installation if needed + boolean adjustValidity = + request.getExtDataInBoolean("installAdjustValidity", false); + if (adjustValidity) { + CMS.debug("ValidityDefault: populate: adjustValidity is true"); + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + try { + X509CertImpl caCert = ca.getCACert(); + Date caNotAfter = caCert.getNotAfter(); + if (notAfter.after(caNotAfter)) { + notAfter = caNotAfter; + CMS.debug("ValidityDefault: populate: resetting notAfter to caNotAfter"); + } + } catch (Exception e) { + throw new EProfileException( + "Unable to get ca certificate: " + e.getMessage(), e); + } + } + CertificateValidity validity = new CertificateValidity(notBefore, notAfter); diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 774ff94e3..495e4c0af 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -535,6 +535,9 @@ public class CertUtil { CMS.debug("Creating local request exception:" + e.toString()); } + // installAdjustValidity tells ValidityDefault to adjust the + // notAfter value to that of the CA's signing cert if needed + req.setExtData("installAdjustValidity", "true"); processor.populate(req, info); PrivateKey caPrik = null; |