summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java198
1 files changed, 97 insertions, 101 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java
index 62c49450b..c82c8b1ff 100644
--- a/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java
+++ b/pki/base/common/src/com/netscape/cms/policy/constraints/ValidityConstraints.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.policy.constraints;
-
import java.util.Date;
import java.util.Locale;
import java.util.Vector;
@@ -35,26 +34,24 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.PolicyResult;
import com.netscape.cms.policy.APolicyRule;
-
/**
- * ValidityConstraints is a default rule for Enrollment and
- * Renewal that enforces minimum and maximum validity periods
- * and changes them if not met.
- *
- * Optionally the lead and lag times - i.e how far back into the
- * front or back the notBefore date could go in minutes can also
- * be specified.
+ * ValidityConstraints is a default rule for Enrollment and Renewal that
+ * enforces minimum and maximum validity periods and changes them if not met.
+ *
+ * Optionally the lead and lag times - i.e how far back into the front or back
+ * the notBefore date could go in minutes can also be specified.
* <P>
+ *
* <PRE>
* NOTE: The Policy Framework has been replaced by the Profile Framework.
* </PRE>
* <P>
- *
+ *
* @deprecated
* @version $Revision$, $Date$
*/
-public class ValidityConstraints extends APolicyRule
- implements IEnrollmentPolicy, IExtendedPluginInfo {
+public class ValidityConstraints extends APolicyRule implements
+ IEnrollmentPolicy, IExtendedPluginInfo {
protected long mMinValidity;
protected long mMaxValidity;
protected long mLeadTime;
@@ -77,32 +74,29 @@ public class ValidityConstraints extends APolicyRule
private final static Vector defConfParams = new Vector();
static {
- defConfParams.addElement(PROP_MIN_VALIDITY + "=" +
- DEF_MIN_VALIDITY);
- defConfParams.addElement(PROP_MAX_VALIDITY + "=" +
- DEF_MAX_VALIDITY);
- defConfParams.addElement(PROP_LEAD_TIME + "=" +
- DEF_LEAD_TIME);
- defConfParams.addElement(PROP_LAG_TIME + "=" +
- DEF_LAG_TIME);
- defConfParams.addElement(PROP_NOT_BEFORE_SKEW + "=" +
- DEF_NOT_BEFORE_SKEW);
+ defConfParams.addElement(PROP_MIN_VALIDITY + "=" + DEF_MIN_VALIDITY);
+ defConfParams.addElement(PROP_MAX_VALIDITY + "=" + DEF_MAX_VALIDITY);
+ defConfParams.addElement(PROP_LEAD_TIME + "=" + DEF_LEAD_TIME);
+ defConfParams.addElement(PROP_LAG_TIME + "=" + DEF_LAG_TIME);
+ defConfParams.addElement(PROP_NOT_BEFORE_SKEW + "="
+ + DEF_NOT_BEFORE_SKEW);
}
public String[] getExtendedPluginInfo(Locale locale) {
String[] params = {
PROP_MIN_VALIDITY + ";number;Minimum Validity time, in days",
PROP_MAX_VALIDITY + ";number;Maximum Validity time, in days",
- PROP_LEAD_TIME + ";number;Number of minutes in the future a request's notBefore can be",
+ PROP_LEAD_TIME
+ + ";number;Number of minutes in the future a request's notBefore can be",
PROP_LAG_TIME + ";number;NOT CURRENTLY IN USE",
- PROP_NOT_BEFORE_SKEW + ";number;Number of minutes a cert's notBefore should be in the past",
- IExtendedPluginInfo.HELP_TOKEN +
- ";configuration-policyrules-validityconstraints",
- IExtendedPluginInfo.HELP_TEXT +
- ";Ensures that the user's requested validity period is " +
- "acceptable. If not specified, as is usually the case, " +
- "this policy will set the validity. See RFC 2459."
- };
+ PROP_NOT_BEFORE_SKEW
+ + ";number;Number of minutes a cert's notBefore should be in the past",
+ IExtendedPluginInfo.HELP_TOKEN
+ + ";configuration-policyrules-validityconstraints",
+ IExtendedPluginInfo.HELP_TEXT
+ + ";Ensures that the user's requested validity period is "
+ + "acceptable. If not specified, as is usually the case, "
+ + "this policy will set the validity. See RFC 2459." };
return params;
@@ -116,19 +110,19 @@ public class ValidityConstraints extends APolicyRule
/**
* Initializes this policy rule.
* <P>
- *
+ *
* The entries probably are of the form:
- *
- * ra.Policy.rule.<ruleName>.implName=ValidityConstraints
- * ra.Policy.rule.<ruleName>.enable=true
- * ra.Policy.rule.<ruleName>.minValidity=30
- * ra.Policy.rule.<ruleName>.maxValidity=180
- * ra.Policy.rule.<ruleName>.predicate=ou==Sales
- *
- * @param config The config store reference
+ *
+ * ra.Policy.rule.<ruleName>.implName=ValidityConstraints
+ * ra.Policy.rule.<ruleName>.enable=true
+ * ra.Policy.rule.<ruleName>.minValidity=30
+ * ra.Policy.rule.<ruleName>.maxValidity=180
+ * ra.Policy.rule.<ruleName>.predicate=ou==Sales
+ *
+ * @param config The config store reference
*/
public void init(ISubsystem owner, IConfigStore config)
- throws EPolicyException {
+ throws EPolicyException {
// Get min and max validity in days and configure them.
try {
@@ -164,18 +158,18 @@ public class ValidityConstraints extends APolicyRule
mNotBeforeSkew = DEF_NOT_BEFORE_SKEW * MINS_TO_MS_FACTOR;
} catch (Exception e) {
// e.printStackTrace();
- String[] params = {getInstanceName(), e.toString()};
+ String[] params = { getInstanceName(), e.toString() };
- throw new EPolicyException(
- CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params));
+ throw new EPolicyException(CMS.getUserMessage(
+ "CMS_POLICY_INVALID_POLICY_CONFIG", params));
}
}
/**
* Applies the policy on the given Request.
* <P>
- *
- * @param req The request on which to apply policy.
+ *
+ * @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
@@ -184,9 +178,10 @@ public class ValidityConstraints extends APolicyRule
try {
// Get the certificate info from the request
- //X509CertInfo certInfo[] = (X509CertInfo[])
- // req.get(IRequest.CERT_INFO);
- X509CertInfo certInfo[] = req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ // X509CertInfo certInfo[] = (X509CertInfo[])
+ // req.get(IRequest.CERT_INFO);
+ X509CertInfo certInfo[] = req
+ .getExtDataInCertInfoArray(IRequest.CERT_INFO);
// There should be a certificate info set.
if (certInfo == null) {
@@ -197,64 +192,67 @@ public class ValidityConstraints extends APolicyRule
// Else check if validity is within the limit
for (int i = 0; i < certInfo.length; i++) {
- CertificateValidity validity = (CertificateValidity)
- certInfo[i].get(X509CertInfo.VALIDITY);
+ CertificateValidity validity = (CertificateValidity) certInfo[i]
+ .get(X509CertInfo.VALIDITY);
Date notBefore = null, notAfter = null;
if (validity != null) {
- notBefore = (Date)
- validity.get(CertificateValidity.NOT_BEFORE);
- notAfter = (Date)
- validity.get(CertificateValidity.NOT_AFTER);
+ notBefore = (Date) validity
+ .get(CertificateValidity.NOT_BEFORE);
+ notAfter = (Date) validity
+ .get(CertificateValidity.NOT_AFTER);
}
- // If no validity is supplied yet, make one. The default
+ // If no validity is supplied yet, make one. The default
// validity is supposed to pass the following checks, so
// bypass further checking.
// (date = 0 is hack for serialization)
- if (validity == null ||
- (notBefore.getTime() == 0 && notAfter.getTime() == 0)) {
+ if (validity == null
+ || (notBefore.getTime() == 0 && notAfter.getTime() == 0)) {
certInfo[i].set(X509CertInfo.VALIDITY,
- makeDefaultValidity(req));
+ makeDefaultValidity(req));
continue;
}
Date now = CMS.getCurrentDate();
if (notBefore.getTime() > (now.getTime() + mLeadTime)) {
- setError(req, CMS.getUserMessage("CMS_POLICY_INVALID_BEGIN_TIME",
- getInstanceName()), "");
+ setError(req,
+ CMS.getUserMessage("CMS_POLICY_INVALID_BEGIN_TIME",
+ getInstanceName()), "");
result = PolicyResult.REJECTED;
}
- if ((notAfter.getTime() - notBefore.getTime()) >
- mMaxValidity) {
- String params[] = {getInstanceName(),
- String.valueOf(
- ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)),
- String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR)};
-
- setError(req, CMS.getUserMessage("CMS_POLICY_MORE_THAN_MAX_VALIDITY", params), "");
+ if ((notAfter.getTime() - notBefore.getTime()) > mMaxValidity) {
+ String params[] = {
+ getInstanceName(),
+ String.valueOf(((notAfter.getTime() - notBefore
+ .getTime()) / DAYS_TO_MS_FACTOR)),
+ String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) };
+
+ setError(req, CMS.getUserMessage(
+ "CMS_POLICY_MORE_THAN_MAX_VALIDITY", params), "");
result = PolicyResult.REJECTED;
}
- if ((notAfter.getTime() - notBefore.getTime()) <
- mMinValidity) {
- String params[] = {getInstanceName(),
- String.valueOf(
- ((notAfter.getTime() - notBefore.getTime()) / DAYS_TO_MS_FACTOR)),
- String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR)};
-
- setError(req, CMS.getUserMessage("CMS_POLICY_LESS_THAN_MIN_VALIDITY", params), "");
+ if ((notAfter.getTime() - notBefore.getTime()) < mMinValidity) {
+ String params[] = {
+ getInstanceName(),
+ String.valueOf(((notAfter.getTime() - notBefore
+ .getTime()) / DAYS_TO_MS_FACTOR)),
+ String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR) };
+
+ setError(req, CMS.getUserMessage(
+ "CMS_POLICY_LESS_THAN_MIN_VALIDITY", params), "");
result = PolicyResult.REJECTED;
}
}
} catch (Exception e) {
// e.printStackTrace();
- String params[] = {getInstanceName(), e.toString()};
+ String params[] = { getInstanceName(), e.toString() };
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR",
- params), "");
+ setError(req, CMS.getUserMessage(
+ "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
result = PolicyResult.REJECTED;
}
return result;
@@ -262,28 +260,28 @@ public class ValidityConstraints extends APolicyRule
/**
* Return configured parameters for a policy rule instance.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
public Vector getInstanceParams() {
Vector confParams = new Vector();
- confParams.addElement(PROP_MIN_VALIDITY + "=" +
- mMinValidity / DAYS_TO_MS_FACTOR);
- confParams.addElement(PROP_MAX_VALIDITY + "=" +
- mMaxValidity / DAYS_TO_MS_FACTOR);
- confParams.addElement(PROP_LEAD_TIME + "="
- + mLeadTime / MINS_TO_MS_FACTOR);
- confParams.addElement(PROP_LAG_TIME + "=" +
- mLagTime / MINS_TO_MS_FACTOR);
- confParams.addElement(PROP_NOT_BEFORE_SKEW + "=" +
- mNotBeforeSkew / MINS_TO_MS_FACTOR);
+ confParams.addElement(PROP_MIN_VALIDITY + "=" + mMinValidity
+ / DAYS_TO_MS_FACTOR);
+ confParams.addElement(PROP_MAX_VALIDITY + "=" + mMaxValidity
+ / DAYS_TO_MS_FACTOR);
+ confParams.addElement(PROP_LEAD_TIME + "=" + mLeadTime
+ / MINS_TO_MS_FACTOR);
+ confParams.addElement(PROP_LAG_TIME + "=" + mLagTime
+ / MINS_TO_MS_FACTOR);
+ confParams.addElement(PROP_NOT_BEFORE_SKEW + "=" + mNotBeforeSkew
+ / MINS_TO_MS_FACTOR);
return confParams;
}
/**
* Return default parameters for a policy implementation.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
public Vector getDefaultParams() {
@@ -292,12 +290,12 @@ public class ValidityConstraints extends APolicyRule
/**
* Create a default validity value for a request
- *
+ *
* This code can be easily overridden in a derived class, if the
* calculations here aren't accepatble.
- *
- * TODO: it might be good to base this calculation on the creation
- * time of the request.
+ *
+ * TODO: it might be good to base this calculation on the creation time of
+ * the request.
*/
protected CertificateValidity makeDefaultValidity(IRequest req) {
long now = roundTimeToSecond((CMS.getCurrentDate()).getTime());
@@ -311,13 +309,11 @@ public class ValidityConstraints extends APolicyRule
}
/**
- * convert a millisecond resolution time into one with 1 second
- * resolution. Most times in certificates are storage at 1
- * second resolution, so its better if we deal with things at
- * that level.
+ * convert a millisecond resolution time into one with 1 second resolution.
+ * Most times in certificates are storage at 1 second resolution, so its
+ * better if we deal with things at that level.
*/
protected long roundTimeToSecond(long input) {
return (input / 1000) * 1000;
}
}
-
generated by cgit (git 2.34.1) at 2024-07-01 04:35:04 +0000