1 files changed, 134 insertions, 0 deletions

diff --git a/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java b/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java
new file mode 100644
index 000000000..ca7d41fc4
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java
@@ -0,0 +1,134 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+
+import java.util.*;
+import java.io.*;
+import com.netscape.certsrv.base.*;
+import com.netscape.certsrv.ca.*;
+import com.netscape.certsrv.profile.*;
+import com.netscape.certsrv.request.*;
+import com.netscape.certsrv.property.*;
+import com.netscape.certsrv.apps.*;
+
+import com.netscape.cms.profile.def.*;
+
+import netscape.security.x509.*;
+
+
+/**
+ * This class implements the validity constraint.
+ * It checks if the validity in the certificate
+ * template is within the CA's validity.
+ *
+ * @version $Revision$, $Date$
+ */
+public class CAValidityConstraint extends CAEnrollConstraint {
+
+    private Date mDefNotBefore = null;
+    private Date mDefNotAfter = null;
+
+    public CAValidityConstraint() {
+        super();
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+        throws EProfileException {
+        super.init(profile, config);
+        X509CertImpl caCert = getCACert();
+
+        mDefNotBefore = caCert.getNotBefore();
+        mDefNotAfter = caCert.getNotAfter();
+    }
+
+    /**
+     * Validates the request. The request is not modified
+     * during the validation.
+     */
+    public void validate(IRequest request, X509CertInfo info)
+        throws ERejectException {
+        CMS.debug("CAValidityConstraint: validate start");
+        CertificateValidity v = null;
+
+        try {
+            v = (CertificateValidity) info.get(X509CertInfo.VALIDITY);
+        } catch (Exception e) {
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_VALIDITY_NOT_FOUND"));
+        }
+        Date notBefore = null;
+
+        try {
+            notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE);
+        } catch (IOException e) {
+            CMS.debug("CAValidity: not before " + e.toString());
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE"));
+        }
+        Date notAfter = null;
+
+        try {
+            notAfter = (Date) v.get(CertificateValidity.NOT_AFTER);
+        } catch (IOException e) {
+            CMS.debug("CAValidity: not after " + e.toString());
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER"));
+        }
+
+        if (mDefNotBefore != null) {
+            CMS.debug("ValidtyConstraint: notBefore=" + notBefore + 
+                " defNotBefore=" + mDefNotBefore);
+            if (notBefore.before(mDefNotBefore)) {
+                throw new ERejectException(CMS.getUserMessage(
+                            getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE"));
+            }
+        }
+        CMS.debug("ValidtyConstraint: notAfter=" + notAfter + 
+            " defNotAfter=" + mDefNotAfter);
+        if (notAfter.after(mDefNotAfter)) {
+            throw new ERejectException(CMS.getUserMessage(
+                        getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER"));
+        }
+
+        CMS.debug("CAValidtyConstraint: validate end");
+    }
+
+    public String getText(Locale locale) {
+        String params[] = {
+                mDefNotBefore.toString(),
+                mDefNotAfter.toString()
+            };
+
+        return CMS.getUserMessage(locale, 
+                "CMS_PROFILE_CONSTRAINT_CA_VALIDITY_CONSTRAINT_TEXT", 
+                params);
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof UserValidityDefault)
+            return true;
+        if (def instanceof ValidityDefault)
+            return true;
+        if (def instanceof CAValidityDefault)
+            return true;
+        return false;
+    }
+}