[Pki-devel] [PATCH] pki-cfu-0143-Ticket-2389-Installation-subsystem-certs-could-have-.patch

Tue, 28 Jun 2016 18:04:14 -0700

This patch addresses https://fedorahosted.org/pki/ticket/2389 Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA 

thanks,
Christina

>From c79ff72288dd27b6b55840c0d5066b9b233a2b3a Mon Sep 17 00:00:00 2001
From: Christina Fu <[email protected]>
Date: Tue, 28 Jun 2016 18:00:03 -0700
Subject: [PATCH] Ticket 2389 Installation: subsystem certs could have notAfter
 beyond CA signing cert in case of external or existing CA

This patch implements validity check on the notAfter value of the certInfo
and adjust it to that of the CA's notAfter if exceeding
---
 .../netscape/cms/profile/def/ValidityDefault.java  | 22 ++++++++++++++++++++++
 .../com/netscape/cms/servlet/csadmin/CertUtil.java |  3 +++
 2 files changed, 25 insertions(+)

diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
index 634d0709328d4157bbb7ff4cfa683d09a5bd0291..9c95e14a9b8f435496e97f7a2ba0277b0fc1c630 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
@@ -26,6 +26,7 @@ import java.util.Locale;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IProfile;
 import com.netscape.certsrv.property.Descriptor;
@@ -34,6 +35,7 @@ import com.netscape.certsrv.property.IDescriptor;
 import com.netscape.certsrv.request.IRequest;
 
 import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X509CertImpl;
 import netscape.security.x509.X509CertInfo;
 
 /**
@@ -301,6 +303,26 @@ public class ValidityDefault extends EnrollDefault {
         Date notAfter = date.getTime();
         CMS.debug("ValidityDefault: not after: " + notAfter);
 
+        // check and fix notAfter if needed
+        // installAdjustValidity is set during installation if needed
+        boolean adjustValidity =
+                request.getExtDataInBoolean("installAdjustValidity", false);
+        if (adjustValidity) {
+            CMS.debug("ValidityDefault: populate: adjustValidity is true");
+            ICertificateAuthority ca = (ICertificateAuthority)
+                    CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+            try {
+                X509CertImpl caCert = ca.getCACert();
+                Date caNotAfter = caCert.getNotAfter();
+                if (notAfter.after(caNotAfter)) {
+                    notAfter = caNotAfter;
+                    CMS.debug("ValidityDefault: populate: resetting notAfter to caNotAfter");
+                }
+            } catch (Exception e) {
+                throw new EProfileException("ValidityDefaul: populate: can't get ca cert");
+            }
+        }
+
         CertificateValidity validity =
                 new CertificateValidity(notBefore, notAfter);
 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
index 774ff94e317c48f250f1e15bf57b55f006e83ae4..495e4c0af7918a3406d399ea7503df379d273f88 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
@@ -535,6 +535,9 @@ public class CertUtil {
                 CMS.debug("Creating local request exception:" + e.toString());
             }
 
+            // installAdjustValidity tells ValidityDefault to adjust the
+            // notAfter value to that of the CA's signing cert if needed
+            req.setExtData("installAdjustValidity", "true");
             processor.populate(req, info);
 
             PrivateKey caPrik = null;
-- 
2.4.3


_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel

Reply via email to