diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java')
-rw-r--r-- | base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java | 250 |
1 files changed, 250 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java b/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java new file mode 100644 index 000000000..468abdf7b --- /dev/null +++ b/base/common/src/com/netscape/cms/policy/extensions/PrivateKeyUsagePeriodExt.java @@ -0,0 +1,250 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.policy.extensions; + + +import java.util.*; +import java.io.*; +import java.text.SimpleDateFormat; +import java.security.cert.*; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.PolicyResult; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.logging.ILogger; +import netscape.security.x509.*; +import netscape.ldap.*; +import com.netscape.cms.policy.APolicyRule; + + +/** + * PrivateKeyUsagePeriod Identifier Extension policy. + * <P> + * <PRE> + * NOTE: The Policy Framework has been replaced by the Profile Framework. + * </PRE> + * <P> + * + * @deprecated + * @version $Revision$, $Date$ + */ +public class PrivateKeyUsagePeriodExt extends APolicyRule + implements IEnrollmentPolicy, IExtendedPluginInfo { + + private final static String PROP_NOT_BEFORE = "notBefore"; + private final static String PROP_NOT_AFTER = "notAfter"; + protected static final String PROP_IS_CRITICAL = "critical"; + + // 6 months roughly + private final static long defDuration = 60L * 60 * 24 * 180 * 1000; + + private static final String DATE_PATTERN = "MM/dd/yyyy"; + static SimpleDateFormat formatter = new SimpleDateFormat(DATE_PATTERN); + private static Date now = CMS.getCurrentDate(); + private static Date six_months = new Date(now.getTime() + defDuration); + + public static final String DEFAULT_NOT_BEFORE = formatter.format(now); + public static final String DEFAULT_NOT_AFTER = formatter.format(six_months); + + // PKIX specifies the that the extension SHOULD NOT be critical + public static final boolean DEFAULT_CRITICALITY = false; + + protected String mNotBefore; + protected String mNotAfter; + protected boolean mCritical; + + private static Vector defaultParams; + + static { + + formatter.setLenient(false); + + defaultParams = new Vector(); + defaultParams.addElement(PROP_IS_CRITICAL + "=" + DEFAULT_CRITICALITY); + defaultParams.addElement(PROP_NOT_BEFORE + "=" + DEFAULT_NOT_BEFORE); + defaultParams.addElement(PROP_NOT_AFTER + "=" + DEFAULT_NOT_AFTER); + } + + public String[] getExtendedPluginInfo(Locale locale) { + String[] params = { + PROP_IS_CRITICAL + ";boolean;RFC 2459 recommendation: The profile " + + "recommends against the use of this extension. CAs " + + "conforming to the profile MUST NOT generate certs with " + + "critical private key usage period extensions.", + PROP_NOT_BEFORE + ";string; Date before which the Private Key is invalid.", + PROP_NOT_AFTER + ";string; Date after which the Private Key is invalid.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-privatekeyusageperiod", + IExtendedPluginInfo.HELP_TEXT + + ";Adds (deprecated) Private Key Usage Period Extension. " + + "Defined in RFC 2459 (4.2.1.4)" + }; + + return params; + } + + /** + * Adds the private key usage extension to all certs. + */ + public PrivateKeyUsagePeriodExt() { + NAME = "PrivateKeyUsagePeriodExt"; + DESC = "Sets Private Key Usage Extension for a certificate"; + } + + /** + * Initializes this policy rule. + * ra.Policy.rule.<ruleName>.implName=PrivateKeyUsageExtension + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.notBefore=30 + * ra.Policy.rule.<ruleName>.notAfter=180 + * ra.Policy.rule.<ruleName>.critical=false + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference + */ + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + + try { + // Get params. + mNotBefore = config.getString(PROP_NOT_BEFORE, null); + mNotAfter = config.getString(PROP_NOT_AFTER, null); + mCritical = config.getBoolean(PROP_IS_CRITICAL, false); + + // Check the parameter formats + String notBefore; + String notAfter; + + notBefore = formatter.format(formatter.parse(mNotBefore.trim())); + notAfter = formatter.format(formatter.parse(mNotAfter.trim())); + } catch (Exception e) { + // e.printStackTrace(); + Object[] params = {getInstanceName(), e}; + + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG"), params); + } + + } + + /** + * Adds a private key usage extension if none exists. + * + * @param req The request on which to apply policy. + * @return The policy result object. + */ + public PolicyResult apply(IRequest req) { + PolicyResult res = PolicyResult.ACCEPTED; + + // get cert info. + X509CertInfo[] ci = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + + if (ci == null || ci[0] == null) { + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO"), NAME); + return PolicyResult.REJECTED; // unrecoverable error. + } + + for (int i = 0; i < ci.length; i++) { + PolicyResult certRes = applyCert(req, ci[i]); + + if (certRes == PolicyResult.REJECTED) + return certRes; + } + return PolicyResult.ACCEPTED; + } + + public PolicyResult applyCert(IRequest req, X509CertInfo certInfo) { + // get private key usage extension from cert info if any. + CertificateExtensions extensions = null; + PrivateKeyUsageExtension ext = null; + + try { + // get subject key id extension if any. + extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); + } catch (IOException e) { + // no extensions or subject key identifier extension. + } catch (CertificateException e) { + // no extensions or subject key identifier extension. + } + + if (extensions == null) { + extensions = new CertificateExtensions(); + } else { + // remove any previously computed version of the extension + try { + extensions.delete(PrivateKeyUsageExtension.NAME); + + } catch (IOException e) { + } + + } + + try { + ext = new PrivateKeyUsageExtension( + formatter.parse(mNotBefore), + formatter.parse(mNotAfter)); + certInfo.set(X509CertInfo.VERSION, + new CertificateVersion(CertificateVersion.V3)); + extensions.set(PrivateKeyUsageExtension.NAME, ext); + } catch (Exception e) { + if (e instanceof RuntimeException) + throw (RuntimeException) e; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("POLICY_ERROR_CREATE_PRIVATE_KEY_EXT", e.toString())); + setError(req, CMS.getUserMessage("CMS_POLICY_SUBJECT_KEY_ID_ERROR"), NAME); + return PolicyResult.REJECTED; + } + return PolicyResult.ACCEPTED; + } + + /** + * Return configured parameters for a policy rule instance. + * + * @return Empty Vector since this policy has no configuration parameters. + * for this policy instance. + */ + public Vector getInstanceParams() { + Vector params = new Vector(); + + params.addElement(PROP_IS_CRITICAL + "=" + mCritical); + params.addElement(PROP_NOT_BEFORE + "=" + mNotBefore); + params.addElement(PROP_NOT_AFTER + "=" + mNotAfter); + return params; + } + + /** + * Return default parameters for a policy implementation. + * + * @return Empty Vector since this policy implementation has no + * configuration parameters. + */ + public Vector getDefaultParams() { + Vector defParams = new Vector(); + + defParams.addElement(PROP_IS_CRITICAL + "=" + DEFAULT_CRITICALITY); + defParams.addElement(PROP_NOT_BEFORE + "=" + DEFAULT_NOT_BEFORE); + defParams.addElement(PROP_NOT_AFTER + "=" + DEFAULT_NOT_AFTER); + return defParams; + } +} + |