Bugzilla 580203 - Existing renewals generate CA certificates with validity limited by current

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1101 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

4 files changed, 60 insertions, 18 deletions

diff --git a/pki/base/ca/shared/conf/caCert.profile b/pki/base/ca/shared/conf/caCert.profile
index e80afc1cc..3e9c83613 100644
--- a/pki/base/ca/shared/conf/caCert.profile
+++ b/pki/base/ca/shared/conf/caCert.profile
@@ -7,9 +7,9 @@ description=This profile creates a CA certificate that is valid for all signing
 profileIDMapping=caCACert
 profileSetIDMapping=caCertSet
 list=2,4,5,6,7,8
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
-2.default.name=Validity Default
-2.default.params.range=720
+2.default.class=com.netscape.cms.profile.def.CAValidityDefault
+2.default.name=CA Certificate Validity Default
+2.default.params.range=2922
 2.default.params.startTime=0
 4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
 4.default.name=Authority Key Identifier Default
diff --git a/pki/base/ca/shared/conf/registry.cfg b/pki/base/ca/shared/conf/registry.cfg
index 5cb40faba..f99c43653 100644
--- a/pki/base/ca/shared/conf/registry.cfg
+++ b/pki/base/ca/shared/conf/registry.cfg
@@ -39,7 +39,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr
 constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint
 constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint
 constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
-defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl
+defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl
 defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault
 defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default
 defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default
@@ -115,6 +115,9 @@ defaultPolicy.subjectNameDefaultImpl.name=Subject Name Default
 defaultPolicy.validityDefaultImpl.class=com.netscape.cms.profile.def.ValidityDefault
 defaultPolicy.validityDefaultImpl.desc=Validty Default
 defaultPolicy.validityDefaultImpl.name=Validity Default
+defaultPolicy.caValidityDefaultImpl.class=com.netscape.cms.profile.def.CAValidityDefault
+defaultPolicy.caValidityDefaultImpl.desc=CA Certificate Validty Default
+defaultPolicy.caValidityDefaultImpl.name=CA Certificate Validity Default
 defaultPolicy.subjectInfoAccessExtDefaultImpl.class=com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
 defaultPolicy.subjectInfoAccessExtDefaultImpl.desc=Subject Info Access Extension Default
 defaultPolicy.subjectInfoAccessExtDefaultImpl.name=Subject Info Access Extension Default
diff --git a/pki/base/ca/shared/profiles/ca/caCACert.cfg b/pki/base/ca/shared/profiles/ca/caCACert.cfg
index 6438406e3..37c511fb3 100644
--- a/pki/base/ca/shared/profiles/ca/caCACert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caCACert.cfg
@@ -20,12 +20,12 @@ policyset.caCertSet.1.default.name=Subject Name Default
 policyset.caCertSet.1.default.params.name=
 policyset.caCertSet.2.constraint.class_id=validityConstraintImpl
 policyset.caCertSet.2.constraint.name=Validity Constraint
-policyset.caCertSet.2.constraint.params.range=720
+policyset.caCertSet.2.constraint.params.range=2922
 policyset.caCertSet.2.constraint.params.notBeforeCheck=false
 policyset.caCertSet.2.constraint.params.notAfterCheck=false
-policyset.caCertSet.2.default.class_id=validityDefaultImpl
-policyset.caCertSet.2.default.name=Validity Default
-policyset.caCertSet.2.default.params.range=720
+policyset.caCertSet.2.default.class_id=caValidityDefaultImpl
+policyset.caCertSet.2.default.name=CA Certificate Validity Default
+policyset.caCertSet.2.default.params.range=2922
 policyset.caCertSet.2.default.params.startTime=0
 policyset.caCertSet.3.constraint.class_id=keyConstraintImpl
 policyset.caCertSet.3.constraint.name=Key Constraint
diff --git a/pki/base/ca/src/com/netscape/ca/CAService.java b/pki/base/ca/src/com/netscape/ca/CAService.java
index 0361006a2..a63391d2e 100644
--- a/pki/base/ca/src/com/netscape/ca/CAService.java
+++ b/pki/base/ca/src/com/netscape/ca/CAService.java
@@ -615,15 +615,46 @@ public class CAService implements ICAService, IService {
                     Debug.trace("setting default validity");
                 }
 				
-                // set to CA's not after  if default validity 
-                // exceeds ca's not after.
                 begin = CMS.getCurrentDate();
                 end = new Date(begin.getTime() + mCA.getDefaultValidity());
                 certi.set(CertificateValidity.NAME, 
                     new CertificateValidity(begin, end));
             }
 
-            // check if validity exceeds CA time.
+            /*
+             * For non-CA certs, check if validity exceeds CA time.
+             * If so, set to CA's not after  if default validity 
+             * exceeds ca's not after.
+             */
+
+            // First find out if it is a CA cert
+            boolean is_ca = false;
+            CertificateExtensions exts = null;
+            BasicConstraintsExtension bc_ext = null;
+
+            try {
+                exts = (CertificateExtensions)
+                    certi.get(X509CertInfo.EXTENSIONS);
+                if (exts != null) {
+                    Enumeration e = exts.getElements();
+
+                    while (e.hasMoreElements()) {
+                        Extension ext = (Extension) e.nextElement();
+
+                        if (ext.getExtensionId().toString().equals(PKIXExtensions.BasicConstraints_Id.toString())) {
+                            bc_ext = (BasicConstraintsExtension) ext;
+                        }
+                    }
+
+                    if(bc_ext != null)  {
+                        Boolean isCA = (Boolean) bc_ext.get(BasicConstraintsExtension.IS_CA);
+                        is_ca = isCA.booleanValue();
+                    }
+                } // exts != null
+            } catch (Exception e) {
+                CMS.debug("EnrollDefault: getExtension " + e.toString());
+            }
+
             Date caNotAfter = 
                 mCA.getSigningUnit().getCertImpl().getNotAfter();
 
@@ -631,13 +662,21 @@ public class CAService implements ICAService, IService {
                 mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_PAST_VALIDITY"));
                 throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_BEGIN_AFTER_CA_VALIDITY"));
             }
-            if (!mCA.isEnablePastCATime()) {
-                if (end.after(caNotAfter)) {
-                    end = caNotAfter;
-                    certi.set(CertificateValidity.NAME, 
-                        new CertificateValidity(begin, caNotAfter));
-                    mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_PAST_NOT_AFTER"));
-                }
+
+            if (end.after(caNotAfter)) {
+                if(!is_ca)  {
+                    if (!mCA.isEnablePastCATime()) {
+                        end = caNotAfter;
+                        certi.set(CertificateValidity.NAME, 
+                            new CertificateValidity(begin, caNotAfter));
+                        CMS.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime != true...resetting");
+                    } else {
+                        CMS.debug("CAService: issueX509Cert: cert past CA's NOT_AFTER...ca.enablePastCATime = true...not resetting");
+                    }
+                } else {
+                    CMS.debug("CAService: issueX509Cert: CA cert issuance past CA's NOT_AFTER.");
+                } //!is_ca
+                mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_PAST_NOT_AFTER"));
             }
 
             // check algorithm in certinfo.