diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-05-16 22:52:07 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-05-16 22:52:07 +0000 |
commit | 90757db515f3df2e2418fe053318cfe5ad324604 (patch) | |
tree | 4ffb47ebf11689be0b07b1b4f30cef2d0da54434 /pki/base/common/src/com | |
parent | 7d8bb23be55ebd26682b27e9bf523d1f76c1cdd6 (diff) | |
download | pki-90757db515f3df2e2418fe053318cfe5ad324604.tar.gz pki-90757db515f3df2e2418fe053318cfe5ad324604.tar.xz pki-90757db515f3df2e2418fe053318cfe5ad324604.zip |
Bugzilla 580203 - Existing renewals generate CA certificates with validity limited by current
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1101 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com')
4 files changed, 347 insertions, 1 deletions
diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java index 8d26b619d..2f0f66ad2 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java @@ -127,6 +127,8 @@ public class CAValidityConstraint extends CAEnrollConstraint { return true; if (def instanceof ValidityDefault) return true; + if (def instanceof CAValidityDefault) + return true; return false; } } diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java index 7bff5f67a..ca13de3bc 100644 --- a/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java +++ b/pki/base/common/src/com/netscape/cms/profile/constraint/ValidityConstraint.java @@ -202,6 +202,8 @@ public class ValidityConstraint extends EnrollConstraint { return true; if (def instanceof ValidityDefault) return true; + if (def instanceof CAValidityDefault) + return true; return false; } } diff --git a/pki/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java b/pki/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java new file mode 100644 index 000000000..f298238b0 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/profile/def/CAValidityDefault.java @@ -0,0 +1,342 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.def; + + +import java.io.*; +import java.text.*; +import java.util.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.apps.*; +import com.netscape.cms.profile.common.*; + +import netscape.security.x509.*; + + +/** + * This class implements a CA signing cert enrollment default policy + * that populates a server-side configurable validity + * into the certificate template. + * It allows an agent to bypass the CA's signing cert's expiration constraint + */ +public class CAValidityDefault extends EnrollDefault { + public static final String CONFIG_RANGE = "range"; + public static final String CONFIG_START_TIME = "startTime"; + public static final String CONFIG_BYPASS_CA_NOTAFTER= "bypassCAnotafter"; + + public static final String VAL_NOT_BEFORE = "notBefore"; + public static final String VAL_NOT_AFTER = "notAfter"; + public static final String VAL_BYPASS_CA_NOTAFTER= "bypassCAnotafter"; + + public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss"; + + private long mDefault = 86400000; // 1 days + public ICertificateAuthority mCA = null; + + public CAValidityDefault() { + super(); + addConfigName(CONFIG_RANGE); + addConfigName(CONFIG_START_TIME); + addConfigName(CONFIG_BYPASS_CA_NOTAFTER); + + addValueName(VAL_NOT_BEFORE); + addValueName(VAL_NOT_AFTER); + addValueName(VAL_BYPASS_CA_NOTAFTER); + } + + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + mCA = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + } + + public void setConfig(String name, String value) + throws EPropertyException { + if (name.equals(CONFIG_RANGE)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + } else if (name.equals(CONFIG_START_TIME)) { + try { + Integer.parseInt(value); + } catch (Exception e) { + throw new EPropertyException(CMS.getUserMessage( + "CMS_INVALID_PROPERTY", CONFIG_START_TIME)); + } + } + super.setConfig(name, value); + } + + public IDescriptor getConfigDescriptor(Locale locale, String name) { + if (name.equals(CONFIG_RANGE)) { + return new Descriptor(IDescriptor.STRING, + null, + "2922", /* 8 years */ + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_RANGE")); + } else if (name.equals(CONFIG_START_TIME)) { + return new Descriptor(IDescriptor.STRING, + null, + "60", /* 1 minute */ + CMS.getUserMessage(locale, + "CMS_PROFILE_VALIDITY_START_TIME")); + } else if (name.equals(CONFIG_BYPASS_CA_NOTAFTER)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_BYPASS_CA_NOTAFTER")); + + } else { + return null; + } + } + + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NOT_BEFORE)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_BEFORE")); + } else if (name.equals(VAL_NOT_AFTER)) { + return new Descriptor(IDescriptor.STRING, null, null, + CMS.getUserMessage(locale, "CMS_PROFILE_NOT_AFTER")); + } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) { + return new Descriptor(IDescriptor.BOOLEAN, null, + "false", + CMS.getUserMessage(locale, "CMS_PROFILE_BYPASS_CA_NOTAFTER")); + } else { + return null; + } + } + + public void setValue(String name, Locale locale, + X509CertInfo info, String value) + throws EPropertyException { + if (name == null) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + if (value == null || value.equals("")) { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + CMS.debug("CAValidityDefault: setValue name= "+ name); + + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_BEFORE, + date); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + ParsePosition pos = new ParsePosition(0); + Date date = formatter.parse(value, pos); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + validity.set(CertificateValidity.NOT_AFTER, + date); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) { + boolean bypassCAvalidity = Boolean.valueOf(value).booleanValue(); + CMS.debug("CAValidityDefault: setValue: bypassCAvalidity="+ bypassCAvalidity); + + BasicConstraintsExtension ext = (BasicConstraintsExtension) + getExtension(PKIXExtensions.BasicConstraints_Id.toString(), info); + + if(ext == null) { + CMS.debug("CAValidityDefault: setValue: this default cannot be applied to non-CA cert."); + return; + } + try { + Boolean isCA = (Boolean) ext.get(BasicConstraintsExtension.IS_CA); + if(isCA.booleanValue() != true) { + CMS.debug("CAValidityDefault: setValue: this default cannot be aplied to non-CA cert."); + return; + } + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue: this default cannot be aplied to non-CA cert."+ e.toString()); + return; + } + + CertificateValidity validity = null; + Date notAfter = null; + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + notAfter = (Date) validity.get(CertificateValidity.NOT_AFTER); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + // not to exceed CA's expiration + Date caNotAfter = + mCA.getSigningUnit().getCertImpl().getNotAfter(); + + if (notAfter.after(caNotAfter)) { + if (bypassCAvalidity == false) { + notAfter = caNotAfter; + CMS.debug("CAValidityDefault: setValue: bypassCAvalidity off. reset notAfter to caNotAfter. reset "); + } else { + CMS.debug("CAValidityDefault: setValue: bypassCAvalidity on. notAfter is after caNotAfter. no reset"); + } + } + try { + validity.set(CertificateValidity.NOT_AFTER, + notAfter); + } catch (Exception e) { + CMS.debug("CAValidityDefault: setValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } + + public String getValue(String name, Locale locale, + X509CertInfo info) + throws EPropertyException { + + if (name == null) + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + + CMS.debug("CAValidityDefault: getValue: name= "+ name); + if (name.equals(VAL_NOT_BEFORE)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_BEFORE)); + } catch (Exception e) { + CMS.debug("CAValidityDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_NOT_AFTER)) { + SimpleDateFormat formatter = + new SimpleDateFormat(DATE_FORMAT); + CertificateValidity validity = null; + + try { + validity = (CertificateValidity) + info.get(X509CertInfo.VALIDITY); + return formatter.format((Date) + validity.get(CertificateValidity.NOT_AFTER)); + } catch (Exception e) { + CMS.debug("CAValidityDefault: getValue " + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + } else if (name.equals(VAL_BYPASS_CA_NOTAFTER)) { + return "false"; + } else { + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } + + } + + public String getText(Locale locale) { + String params[] = { + getConfig(CONFIG_RANGE), + getConfig(CONFIG_BYPASS_CA_NOTAFTER) + }; + + return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_VALIDITY", params); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IRequest request, X509CertInfo info) + throws EProfileException { + + // always + 60 seconds + String startTimeStr = getConfig(CONFIG_START_TIME); + try { + startTimeStr = mapPattern(request, startTimeStr); + } catch (IOException e) { + CMS.debug("CAValidityDefault: populate " + e.toString()); + } + + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } + int startTime = Integer.parseInt(startTimeStr); + Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); + long notAfterVal = 0; + + try { + String rangeStr = getConfig(CONFIG_RANGE); + rangeStr = mapPattern(request, rangeStr); + notAfterVal = notBefore.getTime() + + (mDefault * Integer.parseInt(rangeStr)); + } catch (Exception e) { + // configured value is not correct + CMS.debug("CAValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE)); + } + Date notAfter = new Date(notAfterVal); + + CertificateValidity validity = + new CertificateValidity(notBefore, notAfter); + + try { + info.set(X509CertInfo.VALIDITY, validity); + } catch (Exception e) { + // failed to insert subject name + CMS.debug("CAValidityDefault: populate " + e.toString()); + throw new EProfileException(CMS.getUserMessage( + getLocale(request), "CMS_INVALID_PROPERTY", X509CertInfo.VALIDITY)); + } + } +} diff --git a/pki/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java b/pki/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java index 995f0efac..732e85d6c 100644 --- a/pki/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java +++ b/pki/base/common/src/com/netscape/cms/profile/def/ValidityDefault.java @@ -86,7 +86,7 @@ public class ValidityDefault extends EnrollDefault { if (name.equals(CONFIG_RANGE)) { return new Descriptor(IDescriptor.STRING, null, - "180", + "2922", CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE")); } else if (name.equals(CONFIG_START_TIME)) { |