diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java | 201 |
1 files changed, 100 insertions, 101 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java index 3d98f3c2..8b09c767 100644 --- a/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java +++ b/pki/base/common/src/com/netscape/cms/policy/constraints/RenewalValidityConstraints.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.policy.constraints; - import java.util.Date; import java.util.Locale; import java.util.Vector; @@ -36,30 +35,29 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.PolicyResult; import com.netscape.cms.policy.APolicyRule; - /** - * RenewalValidityConstraints is a default rule for Certificate - * Renewal. This policy enforces the no of days before which a - * currently active certificate can be renewed and sets new validity - * period for the renewed certificate starting from the the ending - * period in the old certificate. - * + * RenewalValidityConstraints is a default rule for Certificate Renewal. This + * policy enforces the no of days before which a currently active certificate + * can be renewed and sets new validity period for the renewed certificate + * starting from the the ending period in the old certificate. + * * The main parameters are: - * - * The renewal leadtime in days: - i.e how many days before the - * expiry of the current certificate can one request the renewal. - * min and max validity duration. + * + * The renewal leadtime in days: - i.e how many days before the expiry of the + * current certificate can one request the renewal. min and max validity + * duration. * <P> + * * <PRE> * NOTE: The Policy Framework has been replaced by the Profile Framework. * </PRE> * <P> - * + * * @deprecated * @version $Revision$, $Date$ */ -public class RenewalValidityConstraints extends APolicyRule - implements IRenewalPolicy, IExtendedPluginInfo { +public class RenewalValidityConstraints extends APolicyRule implements + IRenewalPolicy, IExtendedPluginInfo { private long mMinValidity; private long mMaxValidity; private long mRenewalInterval; @@ -77,25 +75,25 @@ public class RenewalValidityConstraints extends APolicyRule private final static Vector defConfParams = new Vector(); static { - defConfParams.addElement(PROP_MIN_VALIDITY + "=" + - DEF_MIN_VALIDITY); - defConfParams.addElement(PROP_MAX_VALIDITY + "=" + - DEF_MAX_VALIDITY); - defConfParams.addElement(PROP_RENEWAL_INTERVAL + "=" + - DEF_RENEWAL_INTERVAL); + defConfParams.addElement(PROP_MIN_VALIDITY + "=" + DEF_MIN_VALIDITY); + defConfParams.addElement(PROP_MAX_VALIDITY + "=" + DEF_MAX_VALIDITY); + defConfParams.addElement(PROP_RENEWAL_INTERVAL + "=" + + DEF_RENEWAL_INTERVAL); } public String[] getExtendedPluginInfo(Locale locale) { String[] params = { - PROP_MIN_VALIDITY + ";number;Specifies the minimum validity period, in days, for renewed certificates.", - PROP_MAX_VALIDITY + ";number;Specifies the maximum validity period, in days, for renewed certificates.", - PROP_RENEWAL_INTERVAL + ";number;Specifies how many days before its expiration that a certificate can be renewed.", - IExtendedPluginInfo.HELP_TOKEN + - ";configuration-policyrules-renewalvalidityconstraints", - IExtendedPluginInfo.HELP_TEXT + - ";Reject renewal request if the certificate is too far " + - "before it's expiry date" - }; + PROP_MIN_VALIDITY + + ";number;Specifies the minimum validity period, in days, for renewed certificates.", + PROP_MAX_VALIDITY + + ";number;Specifies the maximum validity period, in days, for renewed certificates.", + PROP_RENEWAL_INTERVAL + + ";number;Specifies how many days before its expiration that a certificate can be renewed.", + IExtendedPluginInfo.HELP_TOKEN + + ";configuration-policyrules-renewalvalidityconstraints", + IExtendedPluginInfo.HELP_TEXT + + ";Reject renewal request if the certificate is too far " + + "before it's expiry date" }; return params; @@ -109,20 +107,20 @@ public class RenewalValidityConstraints extends APolicyRule /** * Initializes this policy rule. * <P> - * + * * The entries probably are of the form: - * - * ra.Policy.rule.<ruleName>.implName=ValidityConstraints - * ra.Policy.rule.<ruleName>.enable=true - * ra.Policy.rule.<ruleName>.minValidity=30 - * ra.Policy.rule.<ruleName>.maxValidity=180 - * ra.Policy.rule.<ruleName>.renewalInterval=15 - * ra.Policy.rule.<ruleName>.predicate=ou==Sales - * - * @param config The config store reference + * + * ra.Policy.rule.<ruleName>.implName=ValidityConstraints + * ra.Policy.rule.<ruleName>.enable=true + * ra.Policy.rule.<ruleName>.minValidity=30 + * ra.Policy.rule.<ruleName>.maxValidity=180 + * ra.Policy.rule.<ruleName>.renewalInterval=15 + * ra.Policy.rule.<ruleName>.predicate=ou==Sales + * + * @param config The config store reference */ public void init(ISubsystem owner, IConfigStore config) - throws EPolicyException { + throws EPolicyException { // Get min and max validity in days and onfigure them. try { @@ -148,37 +146,37 @@ public class RenewalValidityConstraints extends APolicyRule // minValidity can't be bigger than maxValidity. if (mMinValidity > mMaxValidity) { - String params[] = {getInstanceName(), + String params[] = { getInstanceName(), String.valueOf(mMinValidity / DAYS_TO_MS_FACTOR), String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_MIN_MAX", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_RENEWAL_MIN_MAX", params)); } // Renewal interval can't be more than maxValidity. if (mRenewalInterval > mMaxValidity) { - String params[] = {getInstanceName(), + String params[] = { getInstanceName(), String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR), String.valueOf(mMaxValidity / DAYS_TO_MS_FACTOR) }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_RENEWAL_INTERVAL", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_RENEWAL_INTERVAL", params)); } } catch (Exception e) { // e.printStackTrace(); - String[] params = {getInstanceName(), e.toString()}; + String[] params = { getInstanceName(), e.toString() }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_CONFIG", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_POLICY_CONFIG", params)); } } /** * Applies the policy on the given Request. * <P> - * - * @param req The request on which to apply policy. + * + * @param req The request on which to apply policy. * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -190,16 +188,16 @@ public class RenewalValidityConstraints extends APolicyRule try { // Get the certificate info from the request - X509CertInfo certInfo[] = - req.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo[] = req + .getExtDataInCertInfoArray(IRequest.CERT_INFO); // Get the certificates being renwed. - X509CertImpl currentCerts[] = - req.getExtDataInCertArray(IRequest.OLD_CERTS); + X509CertImpl currentCerts[] = req + .getExtDataInCertArray(IRequest.OLD_CERTS); // Both certificate info and current certs should be set if (certInfo == null) { - setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", + setError(req, CMS.getUserMessage("CMS_POLICY_NO_CERT_INFO", getInstanceName()), ""); return PolicyResult.REJECTED; } @@ -209,21 +207,21 @@ public class RenewalValidityConstraints extends APolicyRule return PolicyResult.REJECTED; } if (certInfo.length != currentCerts.length) { - setError(req, CMS.getUserMessage("CMS_POLICY_MISMATCHED_CERTINFO", - getInstanceName()), ""); + setError(req, CMS.getUserMessage( + "CMS_POLICY_MISMATCHED_CERTINFO", getInstanceName()), + ""); return PolicyResult.REJECTED; } // Else check if the renewal interval is okay and then // set the validity. for (int i = 0; i < certInfo.length; i++) { - X509CertInfo oldCertInfo = (X509CertInfo) - currentCerts[i].get(X509CertImpl.NAME + - "." + X509CertImpl.INFO); - CertificateValidity oldValidity = (CertificateValidity) - oldCertInfo.get(X509CertInfo.VALIDITY); - Date notAfter = (Date) - oldValidity.get(CertificateValidity.NOT_AFTER); + X509CertInfo oldCertInfo = (X509CertInfo) currentCerts[i] + .get(X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateValidity oldValidity = (CertificateValidity) oldCertInfo + .get(X509CertInfo.VALIDITY); + Date notAfter = (Date) oldValidity + .get(CertificateValidity.NOT_AFTER); // Is the Certificate still valid? Date now = CMS.getCurrentDate(); @@ -233,12 +231,13 @@ public class RenewalValidityConstraints extends APolicyRule long interval = notAfter.getTime() - now.getTime(); if (interval > mRenewalInterval) { - setError(req, - CMS.getUserMessage("CMS_POLICY_LONG_RENEWAL_LEAD_TIME", + setError(req, CMS.getUserMessage( + "CMS_POLICY_LONG_RENEWAL_LEAD_TIME", getInstanceName(), - String.valueOf(mRenewalInterval / DAYS_TO_MS_FACTOR)), ""); - setError(req, - CMS.getUserMessage("CMS_POLICY_EXISTING_CERT_DETAILS", + String.valueOf(mRenewalInterval + / DAYS_TO_MS_FACTOR)), ""); + setError(req, CMS.getUserMessage( + "CMS_POLICY_EXISTING_CERT_DETAILS", getInstanceName(), getCertDetails(req, currentCerts[i])), ""); @@ -248,29 +247,28 @@ public class RenewalValidityConstraints extends APolicyRule } } - // Else compute new validity. + // Else compute new validity. Date renewedNotBef = notAfter; - Date renewedNotAfter = new Date(notAfter.getTime() + - mMaxValidity); + Date renewedNotAfter = new Date(notAfter.getTime() + + mMaxValidity); - // If the new notAfter is within renewal interval days from + // If the new notAfter is within renewal interval days from // today or already expired, set the notBefore to today. - if (renewedNotAfter.before(now) || - (renewedNotAfter.getTime() - now.getTime()) <= - mRenewalInterval) { + if (renewedNotAfter.before(now) + || (renewedNotAfter.getTime() - now.getTime()) <= mRenewalInterval) { renewedNotBef = now; - renewedNotAfter = new Date(now.getTime() + - mMaxValidity); + renewedNotAfter = new Date(now.getTime() + mMaxValidity); } - CertificateValidity newValidity = - new CertificateValidity(renewedNotBef, renewedNotAfter); + CertificateValidity newValidity = new CertificateValidity( + renewedNotBef, renewedNotAfter); certInfo[i].set(X509CertInfo.VALIDITY, newValidity); } } catch (Exception e) { - String params[] = {getInstanceName(), e.toString()}; + String params[] = { getInstanceName(), e.toString() }; - setError(req, CMS.getUserMessage("CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); + setError(req, CMS.getUserMessage( + "CMS_POLICY_UNEXPECTED_POLICY_ERROR", params), ""); result = PolicyResult.REJECTED; } return result; @@ -278,24 +276,24 @@ public class RenewalValidityConstraints extends APolicyRule /** * Return configured parameters for a policy rule instance. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getInstanceParams() { Vector confParams = new Vector(); - confParams.addElement(PROP_MIN_VALIDITY + "=" + - mMinValidity / DAYS_TO_MS_FACTOR); - confParams.addElement(PROP_MAX_VALIDITY + "=" + - mMaxValidity / DAYS_TO_MS_FACTOR); - confParams.addElement(PROP_RENEWAL_INTERVAL + "=" + - mRenewalInterval / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_MIN_VALIDITY + "=" + mMinValidity + / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_MAX_VALIDITY + "=" + mMaxValidity + / DAYS_TO_MS_FACTOR); + confParams.addElement(PROP_RENEWAL_INTERVAL + "=" + mRenewalInterval + / DAYS_TO_MS_FACTOR); return confParams; } /** * Return default parameters for a policy implementation. - * + * * @return nvPairs A Vector of name/value pairs. */ public Vector getDefaultParams() { @@ -306,7 +304,7 @@ public class RenewalValidityConstraints extends APolicyRule private void setDummyValidity(X509CertInfo certInfo) { try { certInfo.set(X509CertInfo.VALIDITY, - new CertificateValidity(CMS.getCurrentDate(), new Date())); + new CertificateValidity(CMS.getCurrentDate(), new Date())); } catch (Exception e) { } } @@ -317,8 +315,8 @@ public class RenewalValidityConstraints extends APolicyRule sb.append("\n"); sb.append("Serial No: " + cert.getSerialNumber().toString(16)); sb.append("\n"); - sb.append("Validity: " + cert.getNotBefore().toString() + - " - " + cert.getNotAfter().toString()); + sb.append("Validity: " + cert.getNotBefore().toString() + " - " + + cert.getNotAfter().toString()); sb.append("\n"); String certType = req.getExtDataInString(IRequest.CERT_TYPE); @@ -326,11 +324,12 @@ public class RenewalValidityConstraints extends APolicyRule certType = IRequest.SERVER_CERT; if (certType.equals(IRequest.CLIENT_CERT)) { - /*** Take this our - URL formulation hard to do here. - sb.append("Use the following url with your CA/RA gateway spec to download the certificate."); - sb.append("\n"); - sb.append("/query/certImport?op=displayByserial&serialNumber="); - sb.append(cert.getSerialNumber().toString(16)); + /*** + * Take this our - URL formulation hard to do here. sb.append( + * "Use the following url with your CA/RA gateway spec to download the certificate." + * ); sb.append("\n"); + * sb.append("/query/certImport?op=displayByserial&serialNumber="); + * sb.append(cert.getSerialNumber().toString(16)); ***/ sb.append("\n"); } else { @@ -342,7 +341,7 @@ public class RenewalValidityConstraints extends APolicyRule sb.append(CERT_HEADER + encodedCert + CERT_TRAILER); } catch (Exception e) { - //throw new AssertionException(e.toString()); + // throw new AssertionException(e.toString()); } } return sb.toString(); |