rpms / pki-core

Clone
Source Code
GIT

Files

  1.   018a91b228157f1552334887edcb51e9a0d007f2
  2.   SOURCES
  3.   pki-core-Fixed-mismatching-certificate-validity-calculation.patch
Blob Blame History Raw 
From 8ef4f6fc86753cafef9256e8102926d6effbbb0b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sun, 20 Dec 2015 21:46:56 +0100
Subject: [PATCH] Fixed mismatching certificate validity calculation.

The CAValidityDefault has been modified to use Calendar API to
calculate the certificate validity range to be consistent with
the ValidityConstraint and ValidityDefault.

https://fedorahosted.org/pki/ticket/1682
---
 .../cms/profile/def/CAValidityDefault.java         | 79 ++++++++++++++++++----
 base/server/cmsbundle/src/UserMessages.properties  |  2 +-
 2 files changed, 67 insertions(+), 14 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
index 44ffd474f8aa23abff922f6fc37e92cd12536dec..a98b2c28c12c78ac6ffa420c880ba0c317f5f94b 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
@@ -20,14 +20,10 @@ package com.netscape.cms.profile.def;
 import java.io.IOException;
 import java.text.ParsePosition;
 import java.text.SimpleDateFormat;
+import java.util.Calendar;
 import java.util.Date;
 import java.util.Locale;
 
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.PKIXExtensions;
-import netscape.security.x509.X509CertInfo;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.ca.ICertificateAuthority;
@@ -38,6 +34,11 @@ import com.netscape.certsrv.property.EPropertyException;
 import com.netscape.certsrv.property.IDescriptor;
 import com.netscape.certsrv.request.IRequest;
 
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
 /**
  * This class implements a CA signing cert enrollment default policy
  * that populates a server-side configurable validity
@@ -46,6 +47,7 @@ import com.netscape.certsrv.request.IRequest;
  */
 public class CAValidityDefault extends EnrollDefault {
     public static final String CONFIG_RANGE = "range";
+    public static final String CONFIG_RANGE_UNIT = "rangeUnit";
     public static final String CONFIG_START_TIME = "startTime";
     public static final String CONFIG_BYPASS_CA_NOTAFTER = "bypassCAnotafter";
 
@@ -61,6 +63,7 @@ public class CAValidityDefault extends EnrollDefault {
     public CAValidityDefault() {
         super();
         addConfigName(CONFIG_RANGE);
+        addConfigName(CONFIG_RANGE_UNIT);
         addConfigName(CONFIG_START_TIME);
         addConfigName(CONFIG_BYPASS_CA_NOTAFTER);
 
@@ -103,6 +106,12 @@ public class CAValidityDefault extends EnrollDefault {
                     "7305", /* 20 years */
                     CMS.getUserMessage(locale,
                             "CMS_PROFILE_VALIDITY_RANGE"));
+        } else if (name.equals(CONFIG_RANGE_UNIT)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    "day",
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_VALIDITY_RANGE_UNIT"));
         } else if (name.equals(CONFIG_START_TIME)) {
             return new Descriptor(IDescriptor.STRING,
                     null,
@@ -299,6 +308,28 @@ public class CAValidityDefault extends EnrollDefault {
         return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_VALIDITY", params);
     }
 
+    public int convertRangeUnit(String unit) throws Exception {
+
+        if (unit.equals("year")) {
+            return Calendar.YEAR;
+
+        } else if (unit.equals("month")) {
+            return Calendar.MONTH;
+
+        } else if (unit.equals("day")) {
+            return Calendar.DAY_OF_YEAR;
+
+        } else if (unit.equals("hour")) {
+            return Calendar.HOUR_OF_DAY;
+
+        } else if (unit.equals("minute")) {
+            return Calendar.MINUTE;
+
+        } else {
+            throw new Exception("Invalid range unit: " + unit);
+        }
+    }
+
     /**
      * Populates the request with this policy default.
      */
@@ -307,6 +338,7 @@ public class CAValidityDefault extends EnrollDefault {
 
         // always + 60 seconds
         String startTimeStr = getConfig(CONFIG_START_TIME);
+        CMS.debug("CAValidityDefault: start time: " + startTimeStr);
         try {
             startTimeStr = mapPattern(request, startTimeStr);
         } catch (IOException e) {
@@ -317,21 +349,42 @@ public class CAValidityDefault extends EnrollDefault {
             startTimeStr = "60";
         }
         int startTime = Integer.parseInt(startTimeStr);
+
         Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
-        long notAfterVal = 0;
+        CMS.debug("CAValidityDefault: not before: " + notBefore);
 
+        String rangeStr = getConfig(CONFIG_RANGE, "7305");
+        CMS.debug("CAValidityDefault: range: " + rangeStr);
+
+        int range;
         try {
-            String rangeStr = getConfig(CONFIG_RANGE);
             rangeStr = mapPattern(request, rangeStr);
-            notAfterVal = notBefore.getTime() +
-                    (mDefault * Integer.parseInt(rangeStr));
-        } catch (Exception e) {
-            // configured value is not correct
-            CMS.debug("CAValidityDefault: populate " + e.toString());
+            range = Integer.parseInt(rangeStr);
+        } catch (IOException e) {
+            CMS.debug(e);
             throw new EProfileException(CMS.getUserMessage(
                         getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE));
         }
-        Date notAfter = new Date(notAfterVal);
+
+        String rangeUnitStr = getConfig(CONFIG_RANGE_UNIT, "day");
+        CMS.debug("CAValidityDefault: range unit: " + rangeUnitStr);
+
+        int rangeUnit;
+        try {
+            rangeUnit = convertRangeUnit(rangeUnitStr);
+        } catch (Exception e) {
+            CMS.debug(e);
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE_UNIT));
+        }
+
+        // calculate the end of validity range
+        Calendar date = Calendar.getInstance();
+        date.setTime(notBefore);
+        date.add(rangeUnit, range);
+
+        Date notAfter = date.getTime();
+        CMS.debug("CAValidityDefault: not after: " + notAfter);
 
         CertificateValidity validity =
                 new CertificateValidity(notBefore, notAfter);
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
index 6b4dc69b5a6787309f02b0e5e79d93b1f2918f88..7c5c77d5b589886d0a8c6323436a1fdcdd4ce8f9 100644
--- a/base/server/cmsbundle/src/UserMessages.properties
+++ b/base/server/cmsbundle/src/UserMessages.properties
@@ -835,7 +835,7 @@ CMS_PROFILE_VALIDITY_CHECK_NOT_BEFORE=Check Not Before against current time
 CMS_PROFILE_VALIDITY_CHECK_NOT_AFTER=Check Not After against Not Before
 CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD=Grace period for Not Before being set in the future (in seconds).
 CMS_PROFILE_VALIDITY_RANGE=Validity Range
-CMS_PROFILE_VALIDITY_RANGE_UNIT=Validity Range Unit (default: day)
+CMS_PROFILE_VALIDITY_RANGE_UNIT=Validity Range Unit: year, month, day (default), hour, minute
 CMS_PROFILE_VALIDITY_START_TIME=Relative Start Time (in seconds)
 CMS_PROFILE_NOT_BEFORE_RANDOM_BITS=Not Before Random Bits
 CMS_PROFILE_NOT_AFTER_RANDOM_BITS=Not After Random Bits
-- 
2.4.3

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation