summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java201
1 files changed, 100 insertions, 101 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java
index 3d98f3c2..8b09c767 100644
--- a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java
+++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.policy.constraints;
-
import java.util.Date;
import java.util.Locale;
import java.util.Vector;
@@ -36,30 +35,29 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.PolicyResult;
import com.netscape.cms.policy.APolicyRule;
-
/**
- * RenewalValidityConstraints is a default rule for Certificate
- * Renewal. This policy enforces the no of days before which a
- * currently active certificate can be renewed and sets new validity
- * period for the renewed certificate starting from the the ending
- * period in the old certificate.
- *
+ * RenewalValidityConstraints is a default rule for Certificate Renewal. This
+ * policy enforces the no of days before which a currently active certificate
+ * can be renewed and sets new validity period for the renewed certificate
+ * starting from the the ending period in the old certificate.
+ *
* The main parameters are:
- *
- * The renewal leadtime in days: - i.e how many days before the
- * expiry of the current certificate can one request the renewal.
- * min and max validity duration.
+ *
+ * The renewal leadtime in days: - i.e how many days before the expiry of the
+ * current certificate can one request the renewal. min and max validity
+ * duration.
* <P>
+ *
* <PRE>
* NOTE: The Policy Framework has been replaced by the Profile Framework.
* </PRE>
* <P>
- *
+ *
* @deprecated
* @version $Revision$, $Date$
*/
-public class RenewalValidityConstraints extends APolicyRule
- implements IRenewalPolicy, IExtendedPluginInfo {
+public class RenewalValidityConstraints extends APolicyRule implements
+ IRenewalPolicy, IExtendedPluginInfo {
private long mMinValidity;
private long mMaxValidity;
private long mRenewalInterval;
@@ -77,25 +75,25 @@ public class RenewalValidityConstraints extends APolicyRule
private final static Vector defConfParams = new Vector();
static {
- defConfParams.addElement(PROP_MIN_VALIDITY + "=" +
- DEF_MIN_VALIDITY);
- defConfParams.addElement(PROP_MAX_VALIDITY + "=" +
- DEF_MAX_VALIDITY);
- defConfParams.addElement(PROP_RENEWAL_INTERVAL + "=" +
- DEF_RENEWAL_INTERVAL);
+ defConfParams.addElement(PROP_MIN_VALIDITY + "=" + DEF_MIN_VALIDITY);
+ defConfParams.addElement(PROP_MAX_VALIDITY + "=" + DEF_MAX_VALIDITY);
+ defConfParams.addElement(PROP_RENEWAL_INTERVAL + "="
+ + DEF_RENEWAL_INTERVAL);
}
public String[] getExtendedPluginInfo(Locale locale) {
String[] params = {
- PROP_MIN_VALIDITY + ";number;Specifies the minimum validity period, in days, for renewed certificates.",
- PROP_MAX_VALIDITY + ";number;Specifies the maximum validity period, in days, for renewed certificates.",
- PROP_RENEWAL_INTERVAL + ";number;Specifies how many days before its expiration that a certificate can be renewed.",
- IExtendedPluginInfo.HELP_TOKEN +
- ";configuration-policyrules-renewalvalidityconstraints",
- IExtendedPluginInfo.HELP_TEXT +
- ";Reject renewal request if the certificate is too far " +
- "before it's expiry date"
- };
+ PROP_MIN_VALIDITY
+ + ";number;Specifies the minimum validity period, in days, for renewed certificates.",
+ PROP_MAX_VALIDITY
+ + ";number;Specifies the maximum validity period, in days, for renewed certificates.",
+ PROP_RENEWAL_INTERVAL
+ + ";number;Specifies how many days before its expiration that a certificate can be renewed.",
+ IExtendedPluginInfo.HELP_TOKEN
+ + ";configuration-policyrules-renewalvalidityconstraints",
+ IExtendedPluginInfo.HELP_TEXT
+ + ";Reject renewal request if the certificate is too far "
+ + "before it's expiry date" };
return params;
@@ -109,20 +107,20 @@ public class RenewalValidityConstraints extends APolicyRule
/**
* Initializes this policy rule.
* <P>
- *
+ *
* The entries probably are of the form:
- *
- * ra.Policy.rule.<ruleName>.implName=ValidityConstraints
- * ra.Policy.rule.<ruleName>.enable=true
- * ra.Policy.rule.<ruleName>.minValidity=30
- * ra.Policy.rule.<ruleName>.maxValidity=180
- * ra.Policy.rule.<ruleName>.renewalInterval=15
- * ra.Policy.rule.<ruleName>.predicate=ou==Sales
- *
- * @param config The config store reference
+ *
+ * ra.Policy.rule.<ruleName>.implName=ValidityConstraints
+ * ra.Policy.rule.<ruleName>.enable=true
+ * ra.Policy.rule.<ruleName>.minValidity=30
+ * ra.Policy.rule.<ruleName>.maxValidity=180
+ * ra.Policy.rule.<ruleName>.renewalInterval=15
+ * ra.Policy.rule.<ruleName>.predicate=ou==Sales
+ *
+ * @param config The config store reference
*/
public void init(ISubsystem owner, IConfigStore config)
- throws EPolicyException {
+ throws EPolicyException {
// Get min and max validity in days and onfigure them.
try {
@@ -148,37 +146,37 @@ public class RenewalValidityConstraints extends APolicyRule
// minValidity can't be bigger than maxValidity.
if (mMinValidity > mMaxValidity) {
- String params[] = {getInstanceName(),
+ String params[] = { getInstanceName(),
String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR),
String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) };
- throw new EPolicyException(
- CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_MIN_MAX", params));
+ throw new EPolicyException(CMS.getUserMessage(
+ "CMS_POLICY_INVALID_RENEWAL_MIN_MAX", params));
}
// Renewal interval can't be more than maxValidity.
if (mRenewalInterval > mMaxValidity) {
- String params[] = {getInstanceName(),
+ String params[] = { getInstanceName(),
String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR),
String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) };
- throw new EPolicyException(
- CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_INTERVAL", params));
+ throw new EPolicyException(CMS.getUserMessage(
+ "CMS_POLICY_INVALID_RENEWAL_INTERVAL", params));
}
} catch (Exception e) {
// e.printStackTrace();
- String[] params = {getInstanceName(), e.toString()};
+ String[] params = { getInstanceName(), e.toString() };
- throw new EPolicyException(
- CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params));
+ throw new EPolicyException(CMS.getUserMessage(
+ "CMS_POLICY_INVALID_POLICY_CONFIG", params));
}
}
/**
* Applies the policy on the given Request.
* <P>
- *
- * @param req The request on which to apply policy.
+ *
+ * @param req The request on which to apply policy.
* @return The policy result object.
*/
public PolicyResult apply(IRequest req) {
@@ -190,16 +188,16 @@ public class RenewalValidityConstraints extends APolicyRule
try {
// Get the certificate info from the request
- X509CertInfo certInfo[] =
- req.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ X509CertInfo certInfo[] = req
+ .getExtDataInCertInfoArray(IRequest.CERT_INFO);
// Get the certificates being renwed.
- X509CertImpl currentCerts[] =
- req.getExtDataInCertArray(IRequest.OLD_CERTS);
+ X509CertImpl currentCerts[] = req
+ .getExtDataInCertArray(IRequest.OLD_CERTS);
// Both certificate info and current certs should be set
if (certInfo == null) {
- setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
+ setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO",
getInstanceName()), "");
return PolicyResult.REJECTED;
}
@@ -209,21 +207,21 @@ public class RenewalValidityConstraints extends APolicyRule
return PolicyResult.REJECTED;
}
if (certInfo.length != currentCerts.length) {
- setError(req, CMS.getUserMessage("CMS_POLICY_MISMATCHED_CERTINFO",
- getInstanceName()), "");
+ setError(req, CMS.getUserMessage(
+ "CMS_POLICY_MISMATCHED_CERTINFO", getInstanceName()),
+ "");
return PolicyResult.REJECTED;
}
// Else check if the renewal interval is okay and then
// set the validity.
for (int i = 0; i < certInfo.length; i++) {
- X509CertInfo oldCertInfo = (X509CertInfo)
- currentCerts[i].get(X509CertImpl.NAME +
- "." + X509CertImpl.INFO);
- CertificateValidity oldValidity = (CertificateValidity)
- oldCertInfo.get(X509CertInfo.VALIDITY);
- Date notAfter = (Date)
- oldValidity.get(CertificateValidity.NOT_AFTER);
+ X509CertInfo oldCertInfo = (X509CertInfo) currentCerts[i]
+ .get(X509CertImpl.NAME + "." + X509CertImpl.INFO);
+ CertificateValidity oldValidity = (CertificateValidity) oldCertInfo
+ .get(X509CertInfo.VALIDITY);
+ Date notAfter = (Date) oldValidity
+ .get(CertificateValidity.NOT_AFTER);
// Is the Certificate still valid?
Date now = CMS.getCurrentDate();
@@ -233,12 +231,13 @@ public class RenewalValidityConstraints extends APolicyRule
long interval = notAfter.getTime() - now.getTime();
if (interval > mRenewalInterval) {
- setError(req,
- CMS.getUserMessage("CMS_POLICY_LONG_RENEWAL_LEAD_TIME",
+ setError(req, CMS.getUserMessage(
+ "CMS_POLICY_LONG_RENEWAL_LEAD_TIME",
getInstanceName(),
- String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR)), "");
- setError(req,
- CMS.getUserMessage("CMS_POLICY_EXISTING_CERT_DETAILS",
+ String.valueOf(mRenewalInterval
+ / DAYS_TO_MS_FACTOR)), "");
+ setError(req, CMS.getUserMessage(
+ "CMS_POLICY_EXISTING_CERT_DETAILS",
getInstanceName(),
getCertDetails(req, currentCerts[i])), "");
@@ -248,29 +247,28 @@ public class RenewalValidityConstraints extends APolicyRule
}
}
- // Else compute new validity.
+ // Else compute new validity.
Date renewedNotBef = notAfter;
- Date renewedNotAfter = new Date(notAfter.getTime() +
- mMaxValidity);
+ Date renewedNotAfter = new Date(notAfter.getTime()
+ + mMaxValidity);
- // If the new notAfter is within renewal interval days from
+ // If the new notAfter is within renewal interval days from
// today or already expired, set the notBefore to today.
- if (renewedNotAfter.before(now) ||
- (renewedNotAfter.getTime() - now.getTime()) <=
- mRenewalInterval) {
+ if (renewedNotAfter.before(now)
+ || (renewedNotAfter.getTime() - now.getTime()) <= mRenewalInterval) {
renewedNotBef = now;
- renewedNotAfter = new Date(now.getTime() +
- mMaxValidity);
+ renewedNotAfter = new Date(now.getTime() + mMaxValidity);
}
- CertificateValidity newValidity =
- new CertificateValidity(renewedNotBef, renewedNotAfter);
+ CertificateValidity newValidity = new CertificateValidity(
+ renewedNotBef, renewedNotAfter);
certInfo[i].set(X509CertInfo.VALIDITY, newValidity);
}
} catch (Exception e) {
- String params[] = {getInstanceName(), e.toString()};
+ String params[] = { getInstanceName(), e.toString() };
- setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
+ setError(req, CMS.getUserMessage(
+ "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), "");
result = PolicyResult.REJECTED;
}
return result;
@@ -278,24 +276,24 @@ public class RenewalValidityConstraints extends APolicyRule
/**
* Return configured parameters for a policy rule instance.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
public Vector getInstanceParams() {
Vector confParams = new Vector();
- confParams.addElement(PROP_MIN_VALIDITY + "=" +
- mMinValidity / DAYS_TO_MS_FACTOR);
- confParams.addElement(PROP_MAX_VALIDITY + "=" +
- mMaxValidity / DAYS_TO_MS_FACTOR);
- confParams.addElement(PROP_RENEWAL_INTERVAL + "=" +
- mRenewalInterval / DAYS_TO_MS_FACTOR);
+ confParams.addElement(PROP_MIN_VALIDITY + "=" + mMinValidity
+ / DAYS_TO_MS_FACTOR);
+ confParams.addElement(PROP_MAX_VALIDITY + "=" + mMaxValidity
+ / DAYS_TO_MS_FACTOR);
+ confParams.addElement(PROP_RENEWAL_INTERVAL + "=" + mRenewalInterval
+ / DAYS_TO_MS_FACTOR);
return confParams;
}
/**
* Return default parameters for a policy implementation.
- *
+ *
* @return nvPairs A Vector of name/value pairs.
*/
public Vector getDefaultParams() {
@@ -306,7 +304,7 @@ public class RenewalValidityConstraints extends APolicyRule
private void setDummyValidity(X509CertInfo certInfo) {
try {
certInfo.set(X509CertInfo.VALIDITY,
- new CertificateValidity(CMS.getCurrentDate(), new Date()));
+ new CertificateValidity(CMS.getCurrentDate(), new Date()));
} catch (Exception e) {
}
}
@@ -317,8 +315,8 @@ public class RenewalValidityConstraints extends APolicyRule
sb.append("\n");
sb.append("Serial No: " + cert.getSerialNumber().toString(16));
sb.append("\n");
- sb.append("Validity: " + cert.getNotBefore().toString() +
- " - " + cert.getNotAfter().toString());
+ sb.append("Validity: " + cert.getNotBefore().toString() + " - "
+ + cert.getNotAfter().toString());
sb.append("\n");
String certType = req.getExtDataInString(IRequest.CERT_TYPE);
@@ -326,11 +324,12 @@ public class RenewalValidityConstraints extends APolicyRule
certType = IRequest.SERVER_CERT;
if (certType.equals(IRequest.CLIENT_CERT)) {
- /*** Take this our - URL formulation hard to do here.
- sb.append("Use the following url with your CA/RA gateway spec to download the certificate.");
- sb.append("\n");
- sb.append("/query/certImport?op=displayByserial&serialNumber=");
- sb.append(cert.getSerialNumber().toString(16));
+ /***
+ * Take this our - URL formulation hard to do here. sb.append(
+ * "Use the following url with your CA/RA gateway spec to download the certificate."
+ * ); sb.append("\n");
+ * sb.append("/query/certImport?op=displayByserial&serialNumber=");
+ * sb.append(cert.getSerialNumber().toString(16));
***/
sb.append("\n");
} else {
@@ -342,7 +341,7 @@ public class RenewalValidityConstraints extends APolicyRule
sb.append(CERT_HEADER + encodedCert + CERT_TRAILER);
} catch (Exception e) {
- //throw new AssertionException(e.toString());
+ // throw new AssertionException(e.toString());
}
}
return sb.toString();
generated by cgit (git 2.34.1) at 2024-05-05 15:56:29 +0000