diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java | 158 |
1 files changed, 74 insertions, 84 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java index 77b50eb1..08e479b8 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalConstraints.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; + import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -36,22 +37,21 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; + /** * Whether to allow renewal of an expired cert. - * * @version $Revision$, $Date$ - * <P> - * - * <PRE> + * <P> + * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> - * <P> - * + * <P> + * * @deprecated * @version $Revision$, $Date$ */ -public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, - IExtendedPluginInfo { +public class RenewalConstraints extends APolicyRule + implements IRenewalPolicy, IExtendedPluginInfo { private static final String PROP_ALLOW_EXPIRED_CERTS = "allowExpiredCerts"; private static final String PROP_RENEWAL_NOT_AFTER = "renewalNotAfter"; @@ -65,8 +65,8 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, private final static Vector defConfParams = new Vector(); static { defConfParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" + true); - defConfParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" - + DEF_RENEWAL_NOT_AFTER); + defConfParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + + DEF_RENEWAL_NOT_AFTER); } public RenewalConstraints() { @@ -76,15 +76,14 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_ALLOW_EXPIRED_CERTS - + ";boolean;Allow a user to renew an already-expired certificate", - PROP_RENEWAL_NOT_AFTER - + ";number;Number of days since certificate expiry after which renewal request would be rejected", - IExtendedPluginInfo.HELP_TOKEN - + ";configuration-policyrules-renewalconstraints", - IExtendedPluginInfo.HELP_TEXT - + ";Permit administrator to decide policy on whether to " - + "permit renewals for already-expired certificates" }; + PROP_ALLOW_EXPIRED_CERTS + ";boolean;Allow a user to renew an already-expired certificate", + PROP_RENEWAL_NOT_AFTER + ";number;Number of days since certificate expiry after which renewal request would be rejected", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-renewalconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Permit administrator to decide policy on whether to " + + "permit renewals for already-expired certificates" + }; return params; @@ -93,24 +92,24 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.allowExpiredCerts=true - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.allowExpiredCerts=true + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and configure them. try { - mAllowExpiredCerts = config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, - true); + mAllowExpiredCerts = + config.getBoolean(PROP_ALLOW_EXPIRED_CERTS, true); String val = config.getString(PROP_RENEWAL_NOT_AFTER, null); - if (val == null) + if (val == null) mRenewalNotAfter = DEF_RENEWAL_NOT_AFTER * DAYS_TO_MS_FACTOR; else { mRenewalNotAfter = Long.parseLong(val) * DAYS_TO_MS_FACTOR; @@ -120,15 +119,14 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, // never happen. } - CMS.debug("RenewalConstraints: allow expired certs " - + mAllowExpiredCerts); + CMS.debug("RenewalConstraints: allow expired certs " + mAllowExpiredCerts); } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -136,52 +134,44 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, try { // Get the certificates being renwed. - X509CertImpl[] oldCerts = req - .getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl[] oldCerts = + req.getExtDataInCertArray(IRequest.OLD_CERTS); if (oldCerts == null) { setError(req, CMS.getUserMessage("CMS_POLICY_NO_OLD_CERT", getInstanceName()), ""); return PolicyResult.REJECTED; } - + if (mAllowExpiredCerts) { CMS.debug("checking validity of each cert"); - // check if each cert to be renewed is expired for more than // - // allowed days. + // check if each cert to be renewed is expired for more than // allowed days. for (int i = 0; i < oldCerts.length; i++) { - X509CertInfo oldCertInfo = (X509CertInfo) oldCerts[i] - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) oldCertInfo - .get(X509CertInfo.VALIDITY); - Date notAfter = (Date) oldValidity - .get(CertificateValidity.NOT_AFTER); + X509CertInfo oldCertInfo = (X509CertInfo) + oldCerts[i].get(X509CertImpl.NAME + "." + + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); + Date notAfter = (Date) + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate eligible for renewal ? Date now = CMS.getCurrentDate(); - Date renewedNotAfter = new Date(notAfter.getTime() - + mRenewalNotAfter); + Date renewedNotAfter = new Date(notAfter.getTime() + + mRenewalNotAfter); - CMS.debug("RenewalConstraints: cert " + i - + " renewedNotAfter " + renewedNotAfter + " now=" - + now); + CMS.debug("RenewalConstraints: cert " + i + " renewedNotAfter " + renewedNotAfter + " now=" + now); if (renewedNotAfter.before(now)) { - CMS.debug("One or more certificates is expired for more than " - + (mRenewalNotAfter / DAYS_TO_MS_FACTOR) - + " days"); - String params[] = { - getInstanceName(), - Long.toString(mRenewalNotAfter - / DAYS_TO_MS_FACTOR) }; - - setError( - req, - CMS.getUserMessage( - "CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD", - params), ""); + CMS.debug( + "One or more certificates is expired for more than " + (mRenewalNotAfter / DAYS_TO_MS_FACTOR) + " days"); + String params[] = { getInstanceName(), Long.toString(mRenewalNotAfter / DAYS_TO_MS_FACTOR) }; + + setError(req, + CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS_AFTER_ALLOWED_PERIOD", + params), ""); return PolicyResult.REJECTED; } } @@ -191,35 +181,35 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, CMS.debug("RenewalConstraints: checking validity of each cert"); // check if each cert to be renewed is expired. for (int i = 0; i < oldCerts.length; i++) { - X509CertInfo oldCertInfo = (X509CertInfo) oldCerts[i] - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) oldCertInfo - .get(X509CertInfo.VALIDITY); - Date notAfter = (Date) oldValidity - .get(CertificateValidity.NOT_AFTER); + X509CertInfo oldCertInfo = (X509CertInfo) + oldCerts[i].get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) + oldCertInfo.get(X509CertInfo.VALIDITY); + Date notAfter = (Date) + oldValidity.get(CertificateValidity.NOT_AFTER); // Is the Certificate still valid? Date now = CMS.getCurrentDate(); - CMS.debug("RenewalConstraints: cert " + i + " notAfter " - + notAfter + " now=" + now); + CMS.debug("RenewalConstraints: cert " + i + " notAfter " + notAfter + " now=" + now); if (notAfter.before(now)) { - CMS.debug("RenewalConstraints: One or more certificates is expired."); + CMS.debug( + "RenewalConstraints: One or more certificates is expired."); String params[] = { getInstanceName() }; - setError(req, CMS.getUserMessage( - "CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS", params), - ""); + setError(req, + CMS.getUserMessage("CMS_POLICY_CANNOT_RENEW_EXPIRED_CERTS", + params), ""); result = PolicyResult.REJECTED; break; } } } catch (Exception e) { - String params[] = { getInstanceName(), e.toString() }; + String params[] = {getInstanceName(), e.toString()}; - setError(req, CMS.getUserMessage( - "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } return result; @@ -227,22 +217,22 @@ public class RenewalConstraints extends APolicyRule implements IRenewalPolicy, /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement(PROP_ALLOW_EXPIRED_CERTS + "=" - + mAllowExpiredCerts); - confParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + mRenewalNotAfter - / DAYS_TO_MS_FACTOR); + confParams.addElement( + PROP_ALLOW_EXPIRED_CERTS + "=" + mAllowExpiredCerts); + confParams.addElement(PROP_RENEWAL_NOT_AFTER + "=" + + mRenewalNotAfter / DAYS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { |