diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java | 198 |
1 files changed, 97 insertions, 101 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java index 62c49450b..c82c8b1ff 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -35,26 +34,24 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** - * ValidityConstraints is a default rule for Enrollment and - * Renewal that enforces minimum and maximum validity periods - * and changes them if not met. - * - * Optionally the lead and lag times - i.e how far back into the - * front or back the notBefore date could go in minutes can also - * be specified. + * ValidityConstraints is a default rule for Enrollment and Renewal that + * enforces minimum and maximum validity periods and changes them if not met. + * + * Optionally the lead and lag times - i.e how far back into the front or back + * the notBefore date could go in minutes can also be specified. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class ValidityConstraints extends APolicyRule - implements IEnrollmentPolicy, IExtendedPluginInfo { +public class ValidityConstraints extends APolicyRule implements + IEnrollmentPolicy, IExtendedPluginInfo { protected long mMinValidity; protected long mMaxValidity; protected long mLeadTime; @@ -77,32 +74,29 @@ public class ValidityConstraints extends APolicyRule private final static Vector defConfParams = new Vector(); static { - defConfParams.addElement(PROP_MIN_VALIDITY + "=" + - DEF_MIN_VALIDITY); - defConfParams.addElement(PROP_MAX_VALIDITY + "=" + - DEF_MAX_VALIDITY); - defConfParams.addElement(PROP_LEAD_TIME + "=" + - DEF_LEAD_TIME); - defConfParams.addElement(PROP_LAG_TIME + "=" + - DEF_LAG_TIME); - defConfParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + - DEF_NOT_BEFORE_SKEW); + defConfParams.addElement(PROP_MIN_VALIDITY + "=" + DEF_MIN_VALIDITY); + defConfParams.addElement(PROP_MAX_VALIDITY + "=" + DEF_MAX_VALIDITY); + defConfParams.addElement(PROP_LEAD_TIME + "=" + DEF_LEAD_TIME); + defConfParams.addElement(PROP_LAG_TIME + "=" + DEF_LAG_TIME); + defConfParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + + DEF_NOT_BEFORE_SKEW); } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { PROP_MIN_VALIDITY + ";number;Minimum Validity time, in days", PROP_MAX_VALIDITY + ";number;Maximum Validity time, in days", - PROP_LEAD_TIME + ";number;Number of minutes in the future a request's notBefore can be", + PROP_LEAD_TIME + + ";number;Number of minutes in the future a request's notBefore can be", PROP_LAG_TIME + ";number;NOT CURRENTLY IN USE", - PROP_NOT_BEFORE_SKEW + ";number;Number of minutes a cert's notBefore should be in the past", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-validityconstraints", - IExtendedPluginInfo.HELP_TEXT + - ";Ensures that the user's requested validity period is " + - "acceptable. If not specified, as is usually the case, " + - "this policy will set the validity. See RFC 2459." - }; + PROP_NOT_BEFORE_SKEW + + ";number;Number of minutes a cert's notBefore should be in the past", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-validityconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Ensures that the user's requested validity period is " + + "acceptable. If not specified, as is usually the case, " + + "this policy will set the validity. See RFC 2459." }; return params; @@ -116,19 +110,19 @@ public class ValidityConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minValidity=30 - * ra.Policy.rule.<ruleName>.maxValidity=180 - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.minValidity=30 + * ra.Policy.rule.<ruleName>.maxValidity=180 + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and configure them. try { @@ -164,18 +158,18 @@ public class ValidityConstraints extends APolicyRule mNotBeforeSkew = DEF_NOT_BEFORE_SKEW * MINS_TO_MS_FACTOR; } catch (Exception e) { // e.printStackTrace(); - String[] params = {getInstanceName(), e.toString()}; + String[] params = { getInstanceName(), e.toString() }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_POLICY_CONFIG", params)); } } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -184,9 +178,10 @@ public class ValidityConstraints extends APolicyRule try { // Get the certificate info from the request - //X509CertInfo certInfo[] = (X509CertInfo[]) - // req.get(IRequest.CERT_INFO); - X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + // X509CertInfo certInfo[] = (X509CertInfo[]) + // req.get(IRequest.CERT_INFO); + X509CertInfo certInfo[] = req + .getExtDataInCertInfoArray(IRequest.CERT_INFO); // There should be a certificate info set. if (certInfo == null) { @@ -197,64 +192,67 @@ public class ValidityConstraints extends APolicyRule // Else check if validity is within the limit for (int i = 0; i < certInfo.length; i++) { - CertificateValidity validity = (CertificateValidity) - certInfo[i].get(X509CertInfo.VALIDITY); + CertificateValidity validity = (CertificateValidity) certInfo[i] + .get(X509CertInfo.VALIDITY); Date notBefore = null, notAfter = null; if (validity != null) { - notBefore = (Date) - validity.get(CertificateValidity.NOT_BEFORE); - notAfter = (Date) - validity.get(CertificateValidity.NOT_AFTER); + notBefore = (Date) validity + .get(CertificateValidity.NOT_BEFORE); + notAfter = (Date) validity + .get(CertificateValidity.NOT_AFTER); } - // If no validity is supplied yet, make one. The default + // If no validity is supplied yet, make one. The default // validity is supposed to pass the following checks, so // bypass further checking. // (date = 0 is hack for serialization) - if (validity == null || - (notBefore.getTime() == 0 && notAfter.getTime() == 0)) { + if (validity == null + || (notBefore.getTime() == 0 && notAfter.getTime() == 0)) { certInfo[i].set(X509CertInfo.VALIDITY, - makeDefaultValidity(req)); + makeDefaultValidity(req)); continue; } Date now = CMS.getCurrentDate(); if (notBefore.getTime() > (now.getTime() + mLeadTime)) { - setError(req, CMS.getUserMessage("CMS_POLICY_INVALID_BEGIN_TIME", - getInstanceName()), ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_INVALID_BEGIN_TIME", + getInstanceName()), ""); result = PolicyResult.REJECTED; } - if ((notAfter.getTime() - notBefore.getTime()) > - mMaxValidity) { - String params[] = {getInstanceName(), - String.valueOf( - ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)), - String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR)}; - - setError(req, CMS.getUserMessage("CMS_POLICY_MORE_THAN_MAX_VALIDITY", params), ""); + if ((notAfter.getTime() - notBefore.getTime()) > mMaxValidity) { + String params[] = { + getInstanceName(), + String.valueOf(((notAfter.getTime() - notBefore + .getTime()) / DAYS_TO_MS_FACTOR)), + String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; + + setError(req, CMS.getUserMessage( + "CMS_POLICY_MORE_THAN_MAX_VALIDITY", params), ""); result = PolicyResult.REJECTED; } - if ((notAfter.getTime() - notBefore.getTime()) < - mMinValidity) { - String params[] = {getInstanceName(), - String.valueOf( - ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)), - String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR)}; - - setError(req, CMS.getUserMessage("CMS_POLICY_LESS_THAN_MIN_VALIDITY", params), ""); + if ((notAfter.getTime() - notBefore.getTime()) < mMinValidity) { + String params[] = { + getInstanceName(), + String.valueOf(((notAfter.getTime() - notBefore + .getTime()) / DAYS_TO_MS_FACTOR)), + String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR) }; + + setError(req, CMS.getUserMessage( + "CMS_POLICY_LESS_THAN_MIN_VALIDITY", params), ""); result = PolicyResult.REJECTED; } } } catch (Exception e) { // e.printStackTrace(); - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", - params), ""); + setError(req, CMS.getUserMessage( + "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } return result; @@ -262,28 +260,28 @@ public class ValidityConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement(PROP_MIN_VALIDITY + "=" + - mMinValidity / DAYS_TO_MS_FACTOR); - confParams.addElement(PROP_MAX_VALIDITY + "=" + - mMaxValidity / DAYS_TO_MS_FACTOR); - confParams.addElement(PROP_LEAD_TIME + "=" - + mLeadTime / MINS_TO_MS_FACTOR); - confParams.addElement(PROP_LAG_TIME + "=" + - mLagTime / MINS_TO_MS_FACTOR); - confParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + - mNotBeforeSkew / MINS_TO_MS_FACTOR); + confParams.addElement(PROP_MIN_VALIDITY + "=" + mMinValidity + / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_MAX_VALIDITY + "=" + mMaxValidity + / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_LEAD_TIME + "=" + mLeadTime + / MINS_TO_MS_FACTOR); + confParams.addElement(PROP_LAG_TIME + "=" + mLagTime + / MINS_TO_MS_FACTOR); + confParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + mNotBeforeSkew + / MINS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { @@ -292,12 +290,12 @@ public class ValidityConstraints extends APolicyRule /** * Create a default validity value for a request - * + * * This code can be easily overridden in a derived class, if the * calculations here aren't accepatble. - * - * TODO: it might be good to base this calculation on the creation - * time of the request. + * + * TODO: it might be good to base this calculation on the creation time of + * the request. */ protected CertificateValidity makeDefaultValidity(IRequest req) { long now = roundTimeToSecond((CMS.getCurrentDate()).getTime()); @@ -311,13 +309,11 @@ public class ValidityConstraints extends APolicyRule } /** - * convert a millisecond resolution time into one with 1 second - * resolution. Most times in certificates are storage at 1 - * second resolution, so its better if we deal with things at - * that level. + * convert a millisecond resolution time into one with 1 second resolution. + * Most times in certificates are storage at 1 second resolution, so its + * better if we deal with things at that level. */ protected long roundTimeToSecond(long input) { return (input / 1000) * 1000; } } - |