diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java')
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java | 342 |
1 files changed, 342 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java new file mode 100644 index 000000000..60f294e36 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java @@ -0,0 +1,342 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.policy.constraints; + + +import java.util.*; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.PolicyResult; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.common.*; +import netscape.security.x509.*; +import com.netscape.cms.policy.APolicyRule; + + +/** + * RenewalValidityConstraints is a default rule for Certificate + * Renewal. This policy enforces the no of days before which a + * currently active certificate can be renewed and sets new validity + * period for the renewed certificate starting from the the ending + * period in the old certificate. + * + * The main parameters are: + * + * The renewal leadtime in days: - i.e how many days before the + * expiry of the current certificate can one request the renewal. + * min and max validity duration. + * <P> + * <PRE> + * NOTE: The Policy Framework has been replaced by the Profile Framework. + * </PRE> + * <P> + * + * @deprecated + * @version $Revision$, $Date$ + */ +public class RenewalValidityConstraints extends APolicyRule + implements IRenewalPolicy, IExtendedPluginInfo { + private long mMinValidity; + private long mMaxValidity; + private long mRenewalInterval; + + private final static String PROP_MIN_VALIDITY = "minValidity"; + private final static String PROP_MAX_VALIDITY = "maxValidity"; + private final static String PROP_RENEWAL_INTERVAL = "renewalInterval"; + public final static int DEF_MIN_VALIDITY = 180; + public final static int DEF_MAX_VALIDITY = 730; + public final static long DEF_RENEWAL_INTERVAL = 15; + public final static long DAYS_TO_MS_FACTOR = 24L * 3600 * 1000; + public static final String CERT_HEADER = "-----BEGIN CERTIFICATE-----\n"; + public static final String CERT_TRAILER = "-----END CERTIFICATE-----\n"; + + private final static Vector defConfParams = new Vector(); + + static { + defConfParams.addElement(PROP_MIN_VALIDITY + "=" + + DEF_MIN_VALIDITY); + defConfParams.addElement(PROP_MAX_VALIDITY + "=" + + DEF_MAX_VALIDITY); + defConfParams.addElement(PROP_RENEWAL_INTERVAL + "=" + + DEF_RENEWAL_INTERVAL); + } + + public String[] getExtendedPluginInfo(Locale locale) { + String[] params = { + PROP_MIN_VALIDITY + ";number;Specifies the minimum validity period, in days, for renewed certificates.", + PROP_MAX_VALIDITY + ";number;Specifies the maximum validity period, in days, for renewed certificates.", + PROP_RENEWAL_INTERVAL + ";number;Specifies how many days before its expiration that a certificate can be renewed.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-renewalvalidityconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Reject renewal request if the certificate is too far " + + "before it's expiry date" + }; + + return params; + + } + + public RenewalValidityConstraints() { + NAME = "RenewalValidityConstraints"; + DESC = "Enforces minimum and maximum validity and renewal interval for certificate renewal."; + } + + /** + * Initializes this policy rule. + * <P> + * + * The entries probably are of the form: + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.minValidity=30 + * ra.Policy.rule.<ruleName>.maxValidity=180 + * ra.Policy.rule.<ruleName>.renewalInterval=15 + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference + */ + public void init(ISubsystem owner, IConfigStore config) + throws EPolicyException { + + // Get min and max validity in days and onfigure them. + try { + String val = config.getString(PROP_MIN_VALIDITY, null); + + if (val == null) + mMinValidity = DEF_MIN_VALIDITY * DAYS_TO_MS_FACTOR; + else + mMinValidity = Long.parseLong(val) * DAYS_TO_MS_FACTOR; + + val = config.getString(PROP_MAX_VALIDITY, null); + if (val == null) + mMaxValidity = DEF_MAX_VALIDITY * DAYS_TO_MS_FACTOR; + else { + mMaxValidity = Long.parseLong(val) * DAYS_TO_MS_FACTOR; + } + val = config.getString(PROP_RENEWAL_INTERVAL, null); + if (val == null) + mRenewalInterval = DEF_RENEWAL_INTERVAL * DAYS_TO_MS_FACTOR; + else { + mRenewalInterval = Long.parseLong(val) * DAYS_TO_MS_FACTOR; + } + + // minValidity can't be bigger than maxValidity. + if (mMinValidity > mMaxValidity) { + String params[] = {getInstanceName(), + String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR), + String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; + + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_MIN_MAX", params)); + } + + // Renewal interval can't be more than maxValidity. + if (mRenewalInterval > mMaxValidity) { + String params[] = {getInstanceName(), + String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR), + String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; + + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_INTERVAL", params)); + } + } catch (Exception e) { + // e.printStackTrace(); + String[] params = {getInstanceName(), e.toString()}; + + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); + } + } + + /** + * Applies the policy on the given Request. + * <P> + * + * @param req The request on which to apply policy. + * @return The policy result object. + */ + public PolicyResult apply(IRequest req) { + + PolicyResult result = PolicyResult.ACCEPTED; + + if (agentApproved(req)) + return result; + + try { + // Get the certificate info from the request + X509CertInfo certInfo[] = + req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + + // Get the certificates being renwed. + X509CertImpl currentCerts[] = + req.getExtDataInCertArray(IRequest.OLD_CERTS); + + // Both certificate info and current certs should be set + if (certInfo == null) { + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + getInstanceName()), ""); + return PolicyResult.REJECTED; + } + if (currentCerts == null) { + setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT", + getInstanceName()), ""); + return PolicyResult.REJECTED; + } + if (certInfo.length != currentCerts.length) { + setError(req, CMS.getUserMessage("CMS_POLICY_MISMATCHED_CERTINFO", + getInstanceName()), ""); + return PolicyResult.REJECTED; + } + + // Else check if the renewal interval is okay and then + // set the validity. + for (int i = 0; i < certInfo.length; i++) { + X509CertInfo oldCertInfo = (X509CertInfo) + currentCerts[i].get(X509CertImpl.NAME + + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); + Date notAfter = (Date) + oldValidity.get(CertificateValidity.NOT_AFTER); + + // Is the Certificate still valid? + Date now = CMS.getCurrentDate(); + + if (notAfter.after(now)) { + // Check if the renewal interval is alright. + long interval = notAfter.getTime() - now.getTime(); + + if (interval > mRenewalInterval) { + setError(req, + CMS.getUserMessage("CMS_POLICY_LONG_RENEWAL_LEAD_TIME", + getInstanceName(), + String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR)), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_EXISTING_CERT_DETAILS", + getInstanceName(), + getCertDetails(req, currentCerts[i])), ""); + + result = PolicyResult.REJECTED; + setDummyValidity(certInfo[i]); + continue; + } + } + + // Else compute new validity. + Date renewedNotBef = notAfter; + Date renewedNotAfter = new Date(notAfter.getTime() + + mMaxValidity); + + // If the new notAfter is within renewal interval days from + // today or already expired, set the notBefore to today. + if (renewedNotAfter.before(now) || + (renewedNotAfter.getTime() - now.getTime()) <= + mRenewalInterval) { + renewedNotBef = now; + renewedNotAfter = new Date(now.getTime() + + mMaxValidity); + } + CertificateValidity newValidity = + new CertificateValidity(renewedNotBef, renewedNotAfter); + + certInfo[i].set(X509CertInfo.VALIDITY, newValidity); + } + } catch (Exception e) { + String params[] = {getInstanceName(), e.toString()}; + + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + result = PolicyResult.REJECTED; + } + return result; + } + + /** + * Return configured parameters for a policy rule instance. + * + * @return nvPairs A Vector of name/value pairs. + */ + public Vector getInstanceParams() { + Vector confParams = new Vector(); + + confParams.addElement(PROP_MIN_VALIDITY + "=" + + mMinValidity / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_MAX_VALIDITY + "=" + + mMaxValidity / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_RENEWAL_INTERVAL + "=" + + mRenewalInterval / DAYS_TO_MS_FACTOR); + return confParams; + } + + /** + * Return default parameters for a policy implementation. + * + * @return nvPairs A Vector of name/value pairs. + */ + public Vector getDefaultParams() { + return defConfParams; + } + + // Set dummy validity field so the request will serialize properly + private void setDummyValidity(X509CertInfo certInfo) { + try { + certInfo.set(X509CertInfo.VALIDITY, + new CertificateValidity(CMS.getCurrentDate(), new Date())); + } catch (Exception e) { + } + } + + private String getCertDetails(IRequest req, X509CertImpl cert) { + StringBuffer sb = new StringBuffer(); + + sb.append("\n"); + sb.append("Serial No: " + cert.getSerialNumber().toString(16)); + sb.append("\n"); + sb.append("Validity: " + cert.getNotBefore().toString() + + " - " + cert.getNotAfter().toString()); + sb.append("\n"); + String certType = req.getExtDataInString(IRequest.CERT_TYPE); + + if (certType == null) + certType = IRequest.SERVER_CERT; + if (certType.equals(IRequest.CLIENT_CERT)) { + + /*** Take this our - URL formulation hard to do here. + sb.append("Use the following url with your CA/RA gateway spec to download the certificate."); + sb.append("\n"); + sb.append("/query/certImport?op=displayByserial&serialNumber="); + sb.append(cert.getSerialNumber().toString(16)); + ***/ + sb.append("\n"); + } else { + sb.append("Certificate Content is as follows:"); + sb.append("\n"); + try { + byte[] ba = cert.getEncoded(); + String encodedCert = com.netscape.osutil.OSUtil.BtoA(ba); + + sb.append(CERT_HEADER + encodedCert + CERT_TRAILER); + } catch (Exception e) { + //throw new AssertionException(e.toString()); + } + } + return sb.toString(); + } +} |