Bugzilla Bug #471622 - Need Renewal feature via enrollment profile Framework (Phase 1)

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@141 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

7 files changed, 64 insertions, 5 deletions

diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg
index b552a6b29..7d8fd4140 100644
--- a/pki/base/ca/shared/conf/CS.cfg
+++ b/pki/base/ca/shared/conf/CS.cfg
@@ -106,6 +106,7 @@ CrossCertPair.ldap=internaldb
 accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
 accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
 accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
+accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator
 auths._000=##
 auths._001=## new authentication
 auths._002=##
@@ -116,6 +117,7 @@ auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthenti
 auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth
 auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth
 auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll
+auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication
 auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication
 auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication
 auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication
@@ -129,6 +131,7 @@ auths.instance.raCertAuth.agentGroup=Registration Manager Agents
 auths.instance.raCertAuth.pluginName=AgentCertAuth
 auths.instance.flatFileAuth.pluginName=FlatFileAuth
 auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/flatfile.txt
+auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
 auths.revocationChecking.bufferSize=50
 auths.revocationChecking.ca=ca
 auths.revocationChecking.enabled=true
@@ -796,9 +799,15 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
-profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert
+profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg
+profile.caManualRenewal.class_id=caEnrollImpl
+profile.caManualRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caManualRenewal.cfg
+profile.caDirUserRenewal.class_id=caEnrollImpl
+profile.caDirUserRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caDirUserRenewal.cfg
+profile.caSSLClientSelfRenewal.class_id=caEnrollImpl
+profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/profiles/ca/caSSLClientSelfRenewal.cfg
 profile.DomainController.class_id=caEnrollImpl
 profile.DomainController.config=[PKI_INSTANCE_PATH]/profiles/ca/DomainController.cfg
 profile.caAgentFileSigning.class_id=caEnrollImpl
diff --git a/pki/base/ca/shared/conf/registry.cfg b/pki/base/ca/shared/conf/registry.cfg
index 807ebdd4d..5cb40faba 100644
--- a/pki/base/ca/shared/conf/registry.cfg
+++ b/pki/base/ca/shared/conf/registry.cfg
@@ -1,5 +1,5 @@
 types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl
+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl
 constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
 constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
 constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
@@ -33,6 +33,9 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr
 constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint
 constraintPolicy.validityConstraintImpl.desc=Validity Constraint
 constraintPolicy.validityConstraintImpl.name=Validity Constraint
+constraintPolicy.renewGracePeriodConstraintImpl.class=com.netscape.cms.profile.constraint.RenewGracePeriodConstraint
+constraintPolicy.renewGracePeriodConstraintImpl.desc=Renewal Grace Period Constraint
+constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constraint
 constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint
 constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint
 constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
@@ -161,7 +164,7 @@ profile.caServerCertEnrollImpl.name=Server Certificate Enrollment Profile
 profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile
 profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment Profile
 profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile
-profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl
+profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl
 profileInput.fileSigningInputImpl.class=com.netscape.cms.profile.input.FileSigningInput
 profileInput.fileSigningInputImpl.desc=File Signing Input
 profileInput.fileSigningInputImpl.name=File Signing Input
@@ -192,6 +195,9 @@ profileInput.nsNKeyCertReqInputImpl.name=nsNKeyCertReqInputImpl
 profileInput.nsHKeyCertReqInputImpl.class=com.netscape.cms.profile.input.nsHKeyCertReqInput
 profileInput.nsHKeyCertReqInputImpl.desc=nsHKeyCertReqInputImpl
 profileInput.nsHKeyCertReqInputImpl.name=nsHKeyCertReqInputImpl
+profileInput.serialNumRenewInputImpl.class=com.netscape.cms.profile.input.SerialNumRenewInput
+profileInput.serialNumRenewInputImpl.desc=Certificate Renewal Request Serial Number Input
+profileInput.serialNumRenewInputImpl.name=Certificate Renewal Request Serial Number Input
 profileInput.subjectDNInputImpl.class=com.netscape.cms.profile.input.SubjectDNInput
 profileInput.subjectDNInputImpl.desc=Subject DN Input
 profileInput.subjectDNInputImpl.name=Subject DN Input
diff --git a/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg b/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg
index 3806d0b21..693f3dc9e 100644
--- a/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caDirUserCert.cfg
@@ -9,7 +9,7 @@ input.i1.class_id=keyGenInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=userCertSet
-policyset.userCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9
 policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.userCertSet.1.constraint.name=Subject Name Constraint
 policyset.userCertSet.1.constraint.params.pattern=UID=.*
@@ -17,6 +17,12 @@ policyset.userCertSet.1.constraint.params.accept=true
 policyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
 policyset.userCertSet.1.default.name=Subject Name Default
 policyset.userCertSet.1.default.params.name=
+policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
+policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
+policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
+policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
+policyset.userCertSet.10.default.class_id=noDefaultImpl
+policyset.userCertSet.10.default.name=No Default
 policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
 policyset.userCertSet.2.constraint.name=Validity Constraint
 policyset.userCertSet.2.constraint.params.range=365
diff --git a/pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg b/pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg
new file mode 100755
index 000000000..f0ec21388
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg
@@ -0,0 +1,12 @@
+desc=This certificate profile is for renewing a certificate by serial number by using directory based authentication.
+visible=true
+enable=true
+enableBy=admin
+renewal=true
+auth.instance_id=UserDirEnrollment
+authz.acl=user_origreq="auth_token.uid"
+name=Directory-Authenticated User Certificate Self-Renew profile
+input.list=i1
+input.i1.class_id=serialNumRenewInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
diff --git a/pki/base/ca/shared/profiles/ca/caManualRenewal.cfg b/pki/base/ca/shared/profiles/ca/caManualRenewal.cfg
new file mode 100755
index 000000000..b691b4d10
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caManualRenewal.cfg
@@ -0,0 +1,11 @@
+desc=This certificate profile is for renewing certificates to be approved manually by agents.
+visible=true
+enable=true
+enableBy=admin
+renewal=true
+auth.instance_id=
+name=Renew certificate to be manually approved by agents
+input.list=i1
+input.i1.class_id=serialNumRenewInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
diff --git a/pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg b/pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg
new file mode 100755
index 000000000..f89c1b143
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg
@@ -0,0 +1,9 @@
+desc=This certificate profile is for renewing SSL client certificates.
+visible=true
+enable=true
+enableBy=admin
+renewal=true
+auth.instance_id=SSLclientCertAuth
+name=Self-renew user SSL client certificates
+output.list=o1
+output.o1.class_id=certOutputImpl
diff --git a/pki/base/ca/shared/profiles/ca/caUserCert.cfg b/pki/base/ca/shared/profiles/ca/caUserCert.cfg
index bd5932a76..56780ac62 100644
--- a/pki/base/ca/shared/profiles/ca/caUserCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caUserCert.cfg
@@ -11,7 +11,7 @@ input.i3.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=userCertSet
-policyset.userCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9
 policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.userCertSet.1.constraint.name=Subject Name Constraint
 policyset.userCertSet.1.constraint.params.pattern=UID=.*
@@ -19,6 +19,12 @@ policyset.userCertSet.1.constraint.params.accept=true
 policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
 policyset.userCertSet.1.default.name=Subject Name Default
 policyset.userCertSet.1.default.params.name=
+policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
+policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
+policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
+policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
+policyset.userCertSet.10.default.class_id=noDefaultImpl
+policyset.userCertSet.10.default.name=No Default
 policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
 policyset.userCertSet.2.constraint.name=Validity Constraint
 policyset.userCertSet.2.constraint.params.range=365