diff options
author | Andrew Wnuk <awnuk@redhat.com> | 2013-05-14 13:27:11 -0400 |
---|---|---|
committer | Andrew Wnuk <awnuk@redhat.com> | 2013-05-14 13:27:11 -0400 |
commit | a6ae98fa5b82ba84dda1bfb37edec4a126411ec5 (patch) | |
tree | fb6aa9533b9bb9f44efc3f896cc3fbe1da30e6e1 /base | |
parent | d6e987b67021ca4202e5ba382ca6fdf7736dd141 (diff) | |
download | pki-a6ae98fa5b82ba84dda1bfb37edec4a126411ec5.tar.gz pki-a6ae98fa5b82ba84dda1bfb37edec4a126411ec5.tar.xz pki-a6ae98fa5b82ba84dda1bfb37edec4a126411ec5.zip |
Randomized validity
This patch provides plug-in randomizing validity
Ticket #607
Diffstat (limited to 'base')
4 files changed, 363 insertions, 1 deletions
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg index f424bdb1b..e4be41d18 100644 --- a/base/ca/shared/conf/registry.cfg +++ b/base/ca/shared/conf/registry.cfg @@ -39,7 +39,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint -defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl +defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default @@ -115,6 +115,9 @@ defaultPolicy.subjectNameDefaultImpl.name=Subject Name Default defaultPolicy.validityDefaultImpl.class=com.netscape.cms.profile.def.ValidityDefault defaultPolicy.validityDefaultImpl.desc=Validty Default defaultPolicy.validityDefaultImpl.name=Validity Default +defaultPolicy.randomizedValidityDefaultImpl.class=com.netscape.cms.profile.def.RandomizedValidityDefault +defaultPolicy.randomizedValidityDefaultImpl.desc=Randomized Validity Default +defaultPolicy.randomizedValidityDefaultImpl.name=Randomized Validity Default defaultPolicy.caValidityDefaultImpl.class=com.netscape.cms.profile.def.CAValidityDefault defaultPolicy.caValidityDefaultImpl.desc=CA Certificate Validty Default defaultPolicy.caValidityDefaultImpl.name=CA Certificate Validity Default diff --git a/base/common/src/UserMessages.properties b/base/common/src/UserMessages.properties index 694c31d65..4bc2115ec 100644 --- a/base/common/src/UserMessages.properties +++ b/base/common/src/UserMessages.properties @@ -834,6 +834,8 @@ CMS_PROFILE_VALIDITY_CHECK_NOT_AFTER=Check Not After against Not Before CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD=Grace period for Not Before being set in the future (in seconds). CMS_PROFILE_VALIDITY_RANGE=Validity Range (in days) CMS_PROFILE_VALIDITY_START_TIME=Relative Start Time (in seconds) +CMS_PROFILE_NOT_BEFORE_RANDOM_BITS=Not Before Random Bits +CMS_PROFILE_NOT_AFTER_RANDOM_BITS=Not After Random Bits CMS_PROFILE_BYPASS_CA_NOTAFTER=Bypass CA notAfter constraint CMS_PROFILE_VALIDITY_OUT_OF_RANGE=Validity Out of Range {0} days CMS_PROFILE_RENEW_GRACE_BEFORE=Renewal Grace Period Before diff --git a/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java b/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java index eaec5e50f..accbd9d2d 100644 --- a/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java +++ b/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java @@ -36,6 +36,7 @@ import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; import com.netscape.cms.profile.def.CAValidityDefault; import com.netscape.cms.profile.def.NoDefault; +import com.netscape.cms.profile.def.RandomizedValidityDefault; import com.netscape.cms.profile.def.UserValidityDefault; import com.netscape.cms.profile.def.ValidityDefault; @@ -210,6 +211,8 @@ public class ValidityConstraint extends EnrollConstraint { return true; if (def instanceof CAValidityDefault) return true; + if (def instanceof RandomizedValidityDefault) + return true; return false; } } diff --git a/base/common/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java b/base/common/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java new file mode 100644 index 000000000..b3b16448d --- /dev/null +++ b/base/common/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java @@ -0,0 +1,354 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + +import java.io.IOException; +import java.text.ParsePosition; +import java.text.SimpleDateFormat; +import java.util.Date; +import java.util.Locale; +import java.util.Random; + +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.X509CertInfo; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.profile.EProfileException; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.property.Descriptor; +import com.netscape.certsrv.property.EPropertyException; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * This class implements an enrollment default policy + * that populates a server-side configurable validity + * into the certificate template. + * + * @version $Revision$, $Date$ + */ +public class RandomizedValidityDefault extends EnrollDefault { + public static final String CONFIG_RANGE = "range"; + public static final String CONFIG_START_TIME = "startTime"; + public static final String CONFIG_NOT_BEFORE_RANDOM_BITS = "notBeforeRandomBits"; + public static final String CONFIG_NOT_AFTER_RANDOM_BITS = "startTimeRandomBits"; + + public static final String VAL_NOT_BEFORE = "notBefore"; + public static final String VAL_NOT_AFTER = "notAfter"; + + public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss"; + + private long mDayInMS = 86400000; // 1 days + private Random mRandom = null; + + public RandomizedValidityDefault() { + super(); + addConfigName(CONFIG_RANGE); + addConfigName(CONFIG_START_TIME); + addConfigName(CONFIG_NOT_BEFORE_RANDOM_BITS); + addConfigName(CONFIG_NOT_AFTER_RANDOM_BITS); + addValueName(VAL_NOT_BEFORE); + addValueName(VAL_NOT_AFTER); + mRandom = new Random(); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_RANGE)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + } else if (name.equals(CONFIG_START_TIME)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_START_TIME)); + } + } else if (name.equals(CONFIG_NOT_BEFORE_RANDOM_BITS)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NOT_BEFORE_RANDOM_BITS)); + } + } else if (name.equals(CONFIG_NOT_AFTER_RANDOM_BITS)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_NOT_AFTER_RANDOM_BITS)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_RANGE)) { + return new Descriptor(IDescriptor.STRING, + null, + "365", /* 365 days */ + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_RANGE")); + } else if (name.equals(CONFIG_START_TIME)) { + return new Descriptor(IDescriptor.STRING, + null, + "0", /* 0 seconds */ + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_START_TIME")); + } else if (name.equals(CONFIG_NOT_BEFORE_RANDOM_BITS)) { + return new Descriptor(IDescriptor.STRING, + null, + "10", /* 10 bits */ + CMS.getUserMessage(locale, + "CMS_PROFILE_NOT_BEFORE_RANDOM_BITS")); + } else if (name.equals(CONFIG_NOT_AFTER_RANDOM_BITS)) { + return new Descriptor(IDescriptor.STRING, + null, + "10", /* 10 bits */ + CMS.getUserMessage(locale, + "CMS_PROFILE_NOT_AFTER_RANDOM_BITS")); + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NOT_BEFORE)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE")); + } else if (name.equals(VAL_NOT_AFTER)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (value == null || value.equals("")) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_BEFORE, + date); + } catch (Exception e) { + CMS.debug("RandomizedValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_AFTER, + date); + } catch (Exception e) { + CMS.debug("RandomizedValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + + if (name == null) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_BEFORE)); + } catch (Exception e) { + CMS.debug("RandomizedValidityDefault: getValue " + e.toString()); + } + throw new EPropertyException("Invalid valie"); + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_AFTER)); + } catch (Exception e) { + CMS.debug("RandomizedValidityDefault: getValue " + e.toString()); + } + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_VALIDITY", + getConfig(CONFIG_RANGE)); + } + + private int randomSecs(int numBits) { + int maxSecs = 0; + int secs = 0; + + if (numBits > Integer.SIZE) { + numBits = Integer.SIZE; + CMS.debug("RandomizedValidityDefault randomSecs "+ + "- number of bits limited to "+numBits); + } + if (numBits > 0) { + maxSecs = (1 << numBits) - 1; + int numBytes = (numBits+7)/8; + int byteSecs = (1 << (numBytes * 8)) - 1; + byte[] randomBits = new byte[numBytes]; + mRandom.nextBytes(randomBits); + for (int i = 0; i < numBytes; i++) { + secs <<= 8; + secs |= (int)(randomBits[i]) & 0xFF; + } + secs &= maxSecs; + } + CMS.debug("RandomizedValidityDefault randomSecs numBits="+numBits+ + " secs="+secs+" maxSecs="+maxSecs); + return secs; + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + // always + 60 seconds + String startTimeStr = getConfig(CONFIG_START_TIME); + try { + startTimeStr = mapPattern(request, startTimeStr); + } catch (IOException e) { + CMS.debug("RandomizedValidityDefault: populate " + e.toString()); + } + + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } + int startTime = Integer.parseInt(startTimeStr); + + String notBeforeRandomBitsStr = getConfig(CONFIG_NOT_BEFORE_RANDOM_BITS); + if (notBeforeRandomBitsStr == null || notBeforeRandomBitsStr.length() == 0) { + notBeforeRandomBitsStr = "0"; + } + int notBeforeRandomBits = Integer.parseInt(notBeforeRandomBitsStr); + + String notAfterRandomBitsStr = getConfig(CONFIG_NOT_AFTER_RANDOM_BITS); + if (notAfterRandomBitsStr == null || notAfterRandomBitsStr.length() == 0) { + notAfterRandomBitsStr = "0"; + } + int notAfterRandomBits = Integer.parseInt(notAfterRandomBitsStr); + int randomSeconds = randomSecs(notBeforeRandomBits); + long currentTime = CMS.getCurrentDate().getTime(); + Date notBefore = new Date(currentTime + (1000 * startTime)); + CMS.debug("RandomizedValidityDefault populate notBefore = "+notBefore); + Date notBeforeRandomized = new Date(currentTime + (1000 * (startTime - randomSeconds))); + CMS.debug("RandomizedValidityDefault populate notBeforeRandomized = "+notBeforeRandomized); + int maxNotBeforeSecs = (1 << notBeforeRandomBits) - 1; + Date notBeforeMax = new Date(currentTime + (1000 * (startTime - maxNotBeforeSecs))); + CMS.debug("RandomizedValidityDefault populate notBeforeMax = "+notBeforeMax); + + long notAfterValue = 0; + long notAfterValueRandomized = 0; + long notAfterValueMax = 0; + + try { + String rangeStr = getConfig(CONFIG_RANGE); + rangeStr = mapPattern(request, rangeStr); + notAfterValue = notBefore.getTime() + (mDayInMS * Integer.parseInt(rangeStr)); + notAfterValueRandomized = notBefore.getTime() + (mDayInMS * Integer.parseInt(rangeStr)) + + (1000 * randomSecs(notAfterRandomBits)); + int maxNotAfterSecs = (1 << notAfterRandomBits) - 1; + notAfterValueMax = notBefore.getTime() + (mDayInMS * Integer.parseInt(rangeStr)) + + (1000 * maxNotAfterSecs); + } catch (Exception e) { + // configured value is not correct + CMS.debug("RandomizedValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + Date notAfter = new Date(notAfterValue); + CMS.debug("RandomizedValidityDefault populate notAfter = "+notAfter); + Date notAfterRandomized = new Date(notAfterValueRandomized); + CMS.debug("RandomizedValidityDefault populate notAfterRandomized = "+notAfterRandomized); + Date notAfterMax = new Date(notAfterValueMax); + CMS.debug("RandomizedValidityDefault populate notAfterMax = "+notAfterMax); + CertificateValidity validity = + new CertificateValidity(notBeforeRandomized, notAfterRandomized); + + try { + info.set(X509CertInfo.VALIDITY, validity); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("RandomizedValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", X509CertInfo.VALIDITY)); + } + } +} |