diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java | 158 |
1 files changed, 84 insertions, 74 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java index 08e479b84..77b50eb1f 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -37,21 +36,22 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** * Whether to allow renewal of an expired cert. + * * @version $Revision$, $Date$ - * <P> - * <PRE> + * <P> + * + * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> - * <P> - * + * <P> + * * @deprecated * @version $Revision$, $Date$ */ -public class RenewalConstraints extends APolicyRule - implements IRenewalPolicy, IExtendedPluginInfo { +public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, + IExtendedPluginInfo { private static final String PROP_ALLOW_EXPIRED_CERTS = "allowExpiredCerts"; private static final String PROP_RENEWAL_NOT_AFTER = "renewalNotAfter"; @@ -65,8 +65,8 @@ public class RenewalConstraints extends APolicyRule private final static Vector defConfParams = new Vector(); static { defConfParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" + true); - defConfParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + - DEF_RENEWAL_NOT_AFTER); + defConfParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + + DEF_RENEWAL_NOT_AFTER); } public RenewalConstraints() { @@ -76,14 +76,15 @@ public class RenewalConstraints extends APolicyRule public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_ALLOW_EXPIRED_CERTS + ";boolean;Allow a user to renew an already-expired certificate", - PROP_RENEWAL_NOT_AFTER + ";number;Number of days since certificate expiry after which renewal request would be rejected", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-renewalconstraints", - IExtendedPluginInfo.HELP_TEXT + - ";Permit administrator to decide policy on whether to " + - "permit renewals for already-expired certificates" - }; + PROP_ALLOW_EXPIRED_CERTS + + ";boolean;Allow a user to renew an already-expired certificate", + PROP_RENEWAL_NOT_AFTER + + ";number;Number of days since certificate expiry after which renewal request would be rejected", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-renewalconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Permit administrator to decide policy on whether to " + + "permit renewals for already-expired certificates" }; return params; @@ -92,24 +93,24 @@ public class RenewalConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.allowExpiredCerts=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.allowExpiredCerts=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and configure them. try { - mAllowExpiredCerts = - config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, true); + mAllowExpiredCerts = config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, + true); String val = config.getString(PROP_RENEWAL_NOT_AFTER, null); - if (val == null) + if (val == null) mRenewalNotAfter = DEF_RENEWAL_NOT_AFTER * DAYS_TO_MS_FACTOR; else { mRenewalNotAfter = Long.parseLong(val) * DAYS_TO_MS_FACTOR; @@ -119,14 +120,15 @@ public class RenewalConstraints extends APolicyRule // never happen. } - CMS.debug("RenewalConstraints: allow expired certs " + mAllowExpiredCerts); + CMS.debug("RenewalConstraints: allow expired certs " + + mAllowExpiredCerts); } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -134,44 +136,52 @@ public class RenewalConstraints extends APolicyRule try { // Get the certificates being renwed. - X509CertImpl[] oldCerts = - req.getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl[] oldCerts = req + .getExtDataInCertArray(IRequest.OLD_CERTS); if (oldCerts == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT", getInstanceName()), ""); return PolicyResult.REJECTED; } - + if (mAllowExpiredCerts) { CMS.debug("checking validity of each cert"); - // check if each cert to be renewed is expired for more than // allowed days. + // check if each cert to be renewed is expired for more than // + // allowed days. for (int i = 0; i < oldCerts.length; i++) { - X509CertInfo oldCertInfo = (X509CertInfo) - oldCerts[i].get(X509CertImpl.NAME + "." + - X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) - oldCertInfo.get(X509CertInfo.VALIDITY); - Date notAfter = (Date) - oldValidity.get(CertificateValidity.NOT_AFTER); + X509CertInfo oldCertInfo = (X509CertInfo) oldCerts[i] + .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) oldCertInfo + .get(X509CertInfo.VALIDITY); + Date notAfter = (Date) oldValidity + .get(CertificateValidity.NOT_AFTER); // Is the Certificate eligible for renewal ? Date now = CMS.getCurrentDate(); - Date renewedNotAfter = new Date(notAfter.getTime() + - mRenewalNotAfter); + Date renewedNotAfter = new Date(notAfter.getTime() + + mRenewalNotAfter); - CMS.debug("RenewalConstraints: cert " + i + " renewedNotAfter " + renewedNotAfter + " now=" + now); + CMS.debug("RenewalConstraints: cert " + i + + " renewedNotAfter " + renewedNotAfter + " now=" + + now); if (renewedNotAfter.before(now)) { - CMS.debug( - "One or more certificates is expired for more than " + (mRenewalNotAfter / DAYS_TO_MS_FACTOR) + " days"); - String params[] = { getInstanceName(), Long.toString(mRenewalNotAfter / DAYS_TO_MS_FACTOR) }; - - setError(req, - CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD", - params), ""); + CMS.debug("One or more certificates is expired for more than " + + (mRenewalNotAfter / DAYS_TO_MS_FACTOR) + + " days"); + String params[] = { + getInstanceName(), + Long.toString(mRenewalNotAfter + / DAYS_TO_MS_FACTOR) }; + + setError( + req, + CMS.getUserMessage( + "CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD", + params), ""); return PolicyResult.REJECTED; } } @@ -181,35 +191,35 @@ public class RenewalConstraints extends APolicyRule CMS.debug("RenewalConstraints: checking validity of each cert"); // check if each cert to be renewed is expired. for (int i = 0; i < oldCerts.length; i++) { - X509CertInfo oldCertInfo = (X509CertInfo) - oldCerts[i].get( - X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) - oldCertInfo.get(X509CertInfo.VALIDITY); - Date notAfter = (Date) - oldValidity.get(CertificateValidity.NOT_AFTER); + X509CertInfo oldCertInfo = (X509CertInfo) oldCerts[i] + .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) oldCertInfo + .get(X509CertInfo.VALIDITY); + Date notAfter = (Date) oldValidity + .get(CertificateValidity.NOT_AFTER); // Is the Certificate still valid? Date now = CMS.getCurrentDate(); - CMS.debug("RenewalConstraints: cert " + i + " notAfter " + notAfter + " now=" + now); + CMS.debug("RenewalConstraints: cert " + i + " notAfter " + + notAfter + " now=" + now); if (notAfter.before(now)) { - CMS.debug( - "RenewalConstraints: One or more certificates is expired."); + CMS.debug("RenewalConstraints: One or more certificates is expired."); String params[] = { getInstanceName() }; - setError(req, - CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS", - params), ""); + setError(req, CMS.getUserMessage( + "CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS", params), + ""); result = PolicyResult.REJECTED; break; } } } catch (Exception e) { - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage( + "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } return result; @@ -217,22 +227,22 @@ public class RenewalConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement( - PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts); - confParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + - mRenewalNotAfter / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" + + mAllowExpiredCerts); + confParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + mRenewalNotAfter + / DAYS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { |