Could someone please have a look at these changes? There's a
plugfest in a couple of weeks that I'm going to be providing
certificates for, so it would be good to get some feedback.
Cheers,
Fraser
On Mon, Aug 18, 2014 at 05:03:25PM +1000, Fraser Tweedale wrote:
On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:
> On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
> > Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
> > extension support and a DNP3 profile that makes use of it. This is
> > to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
> > Authentication v5 (SAv5) standard.
> >
> > In brief, the SN and all the IECUserRoles params will be given in
> > profile inputs, and the key is taken from a CertReqInput.
> >
> > There's still a bit of work to go - notably, some of the
> > IECUserRoles fields are unimplemented, and some of those that *are*
> > implemented are not yet read out of the profile input but rather are
> > hardcoded. The extension *does* appear on the certificate, so I
> > should get that all completed tomorrow.
> >
> > Cheers,
> >
> > Fraser
> >
These patches have been completed and are ready for review. New
versions are attached.
>From 97009318b965ecc3774b57e47b6aa58f4388d508 Mon Sep 17 00:00:00
2001
From: Fraser Tweedale <ftweedal(a)redhat.com>
Date: Mon, 11 Aug 2014 03:10:04 -0400
Subject: [PATCH] Add IECUserRolesExtension class
---
.../security/extensions/IECUserRolesExtension.java | 234 +++++++++++++++++++++
1 file changed, 234 insertions(+)
create mode 100644
base/util/src/netscape/security/extensions/IECUserRolesExtension.java
diff --git a/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
new file mode 100644
index 0000000000000000000000000000000000000000..2a0866cf39d605c6fd04ef325806060edd7a6bb1
--- /dev/null
+++ b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
@@ -0,0 +1,234 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package netscape.security.extensions;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.math.BigInteger;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Vector;
+
+import netscape.security.util.BigInt;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertAttrSet;
+import netscape.security.x509.Extension;
+import netscape.security.x509.OIDMap;
+
+/**
+ * This represents the IEC 62351-8 IECUserRoles extension.
+ */
+public class IECUserRolesExtension extends Extension implements CertAttrSet {
+ public enum Operation { ADD, DELETE, CHANGE };
+
+ private static final long serialVersionUID = 172340873242193489L;
+
+ public static final String OID = "1.2.840.10070.8.1";
+
+ public static final BigInteger MAX_STATUS_CHANGE_SEQNO =
+ new BigInteger("4294967295");
+
+ private Vector<Integer> userRole;
+ private String aor;
+ private int revision;
+ private String roleDefinition;
+ private Operation operation;
+ private BigInteger statusChangeSequenceNumber;
+
+ static {
+ try {
+ OIDMap.addAttribute(IECUserRolesExtension.class.getName(),
+ OID, IECUserRolesExtension.class.getName());
+ } catch (CertificateException e) {
+ }
+ }
+
+ public IECUserRolesExtension(
+ boolean crit,
+ Vector<Integer> userRole,
+ String aor,
+ int revision,
+ String roleDefinition,
+ Operation operation,
+ BigInteger statusChangeSequenceNumber
+ ) throws CertificateException {
+ try {
+ extensionId = ObjectIdentifier.getObjectIdentifier(OID);
+ } catch (IOException e) {
+ // never here
+ }
+
+ critical = crit;
+
+ // userRole SEQUENCE SIZE (1..MAX) OF RoleID
+ // RoleId ::= INTEGER (-32 768..32 767)
+ if (userRole == null)
+ throw new CertificateException("userRole cannot be null");
+ if (userRole.size() < 1)
+ throw new CertificateException("userRole must have at least one
element");
+ for (int roleId : userRole) {
+ if (roleId < -32768 || roleId > 32767)
+ throw new CertificateException("RoleId must be in range (-32
768..32 767)");
+ }
+ this.userRole = userRole;
+
+ // aor (area of responsibility) UTF8String (SIZE(1..64))
+ if (aor == null)
+ throw new CertificateException("aor cannot be null");
+ if (aor.isEmpty() || aor.length() > 64)
+ throw new CertificateException("aor must be of SIZE(1..64)");
+ this.aor = aor;
+
+ // revision INTEGER (0..255)
+ if (revision < 0 || revision > 255)
+ throw new CertificateException("revision must be in range
(0..255)");
+ this.revision = revision;
+
+ // roleDefinition UTF8String (0..23) OPTIONAL
+ if (roleDefinition != null && roleDefinition.length() > 23)
+ throw new CertificateException("roleDefinition must be of
SIZE(0..23)");
+ this.roleDefinition = roleDefinition;
+
+ // operation Operation OPTIONAL
+ // Operation ::= ENUMERATED { Add (1), Delete (2), Change (3) }
+ this.operation = operation;
+
+ // statusChangeSequenceNumber INTEGER (0..4 294 967 295) OPTIONAL
+ if (statusChangeSequenceNumber != null && (
+ statusChangeSequenceNumber.compareTo(BigInteger.ZERO) < 0
+ || statusChangeSequenceNumber.compareTo(MAX_STATUS_CHANGE_SEQNO) >
1))
+ throw new CertificateException(
+ "statusChangeSequenceNumber must be in range (0..4 294 967
295)");
+ this.statusChangeSequenceNumber = statusChangeSequenceNumber;
+ }
+
+ public IECUserRolesExtension(Boolean crit, Object byteVal)
+ throws IOException {
+ extensionId = ObjectIdentifier.getObjectIdentifier(OID);
+ critical = crit.booleanValue();
+ extensionValue = ((byte[]) byteVal).clone();
+ }
+
+ @Override
+ public String toString() {
+ String presentation = "oid=" + OID + " ";
+
+ if (critical) {
+ presentation += "critical=true";
+ }
+ if (extensionValue != null) {
+ StringBuffer extByteValue = new StringBuffer(" val=");
+ for (int i = 0; i < extensionValue.length; i++) {
+ extByteValue.append(extensionValue[i] + " ");
+ }
+ presentation += extByteValue.toString();
+ }
+ return presentation;
+ }
+
+ public void decode(InputStream in)
+ throws CertificateException, IOException {
+ }
+
+ public void encode(DerOutputStream out) throws IOException {
+ encodeExtValue();
+ super.encode(out);
+ }
+
+ public void encode(OutputStream out)
+ throws CertificateException, IOException {
+ DerOutputStream temp = new DerOutputStream();
+ encode(temp);
+ out.write(temp.toByteArray());
+ }
+
+ public void set(String name, Object obj)
+ throws CertificateException, IOException {
+ // NOT USED
+ }
+
+ public Object get(String name) throws CertificateException, IOException {
+ // NOT USED
+ return null;
+ }
+
+ public Enumeration<String> getAttributeNames() {
+ return null;
+ }
+
+ public String getName() {
+ return OID;
+ }
+
+ public void delete(String name)
+ throws CertificateException, IOException {
+ // NOT USED
+ }
+
+ private void encodeExtValue() throws IOException {
+ if (extensionValue != null)
+ return;
+
+ DerOutputStream outUserRoleInfo = new DerOutputStream();
+
+ DerOutputStream outRoles = new DerOutputStream();
+ for (int role : userRole) {
+ outRoles.putInteger(new BigInt(role));
+ }
+ outUserRoleInfo.write(DerValue.tag_Sequence, outRoles);
+
+ outUserRoleInfo.putUTF8String(aor);
+
+ outUserRoleInfo.putInteger(new BigInt(revision));
+
+ if (roleDefinition != null)
+ outUserRoleInfo.putUTF8String(roleDefinition);
+
+ if (operation != null) {
+ int op = 0;
+ switch (operation) {
+ case ADD:
+ op = 1;
+ break;
+ case DELETE:
+ op = 2;
+ break;
+ case CHANGE:
+ op = 3;
+ break;
+ }
+ outUserRoleInfo.putEnumerated(op);
+ }
+
+ if (statusChangeSequenceNumber != null)
+ outUserRoleInfo.putInteger(new BigInt(statusChangeSequenceNumber));
+
+ // write UserRoleInfo SEQUENCE (of the above information)
+ DerOutputStream outIECUserRoles = new DerOutputStream();
+ outIECUserRoles.write(DerValue.tag_Sequence, outUserRoleInfo);
+
+ // write IECUserRoles SEQUENCE OF UserRoleInfo
+ DerOutputStream out = new DerOutputStream();
+ out.write(DerValue.tag_Sequence, outIECUserRoles);
+
+ extensionValue = out.toByteArray();
+ }
+}
--
1.9.3
>From f32268e1e158ff6d80b9262386165783ce92aaca Mon Sep 17 00:00:00
2001
From: Fraser Tweedale <ftweedal(a)redhat.com>
Date: Tue, 12 Aug 2014 04:08:30 -0400
Subject: [PATCH] Add IECUserRolesExtInput profile input
---
base/ca/shared/conf/registry.cfg | 5 +-
.../cms/profile/input/IECUserRolesExtInput.java | 204 +++++++++++++++++++++
base/server/cmsbundle/src/UserMessages.properties | 8 +
3 files changed, 216 insertions(+), 1 deletion(-)
create mode 100644
base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
index 9cd4e6d5c89b6e9bd0323fd3fd272b4af1de9568..c4e3ab86b453bec8964d62b3fbdbac14b40f6105
100644
--- a/base/ca/shared/conf/registry.cfg
+++ b/base/ca/shared/conf/registry.cfg
@@ -173,7 +173,7 @@ profile.caServerCertEnrollImpl.name=Server Certificate Enrollment
Profile
profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile
profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment
Profile
profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile
-profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl
+profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl,iecUserRolesExtInputImpl
profileInput.subjectAltNameExtInputImpl.class=com.netscape.cms.profile.input.SubjectAltNameExtInput
profileInput.subjectAltNameExtInputImpl.desc=SAN Input
profileInput.subjectAltNameExtInputImpl.name=SAN Input
@@ -222,6 +222,9 @@ profileInput.subjectDNInputImpl.name=Subject DN Input
profileInput.subjectNameInputImpl.class=com.netscape.cms.profile.input.SubjectNameInput
profileInput.subjectNameInputImpl.desc=Subject Name Input
profileInput.subjectNameInputImpl.name=Subject Name Input
+profileInput.iecUserRolesExtInputImpl.class=com.netscape.cms.profile.input.IECUserRolesExtInput
+profileInput.iecUserRolesExtInputImpl.desc=IECUserRoles Extension Input
+profileInput.iecUserRolesExtInputImpl.name=IECUserRoles Extension Input
profileOutput.ids=certOutputImpl,cmmfOutputImpl,pkcs7OutputImpl,nsNKeyOutputImpl
profileOutput.certOutputImpl.class=com.netscape.cms.profile.output.CertOutput
profileOutput.certOutputImpl.desc=Certificate Output
diff --git a/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
new file mode 100644
index 0000000000000000000000000000000000000000..32d77d696208c17fe2dd70ea3562eb05d5b24455
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
@@ -0,0 +1,204 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.profile.input;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.extensions.IECUserRolesExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+
+/**
+ * This plugin accepts IEC 62351-8 IECUserRoles extension data from user.
+ */
+public class IECUserRolesExtInput extends EnrollInput implements IProfileInput {
+ public static final String CONFIG_ROLE_DEFINITION = "role_definition";
+ public static final String CONFIG_OPERATION_REQUIRED =
"operation_required";
+
+ public static final String VAL_USER_ROLES = "userRole";
+ public static final String VAL_AOR = "aor";
+ public static final String VAL_REVISION = "revision";
+ public static final String VAL_OPERATION = "operation";
+
+ public IECUserRolesExtInput() {
+ addConfigName(CONFIG_ROLE_DEFINITION);
+ addConfigName(CONFIG_OPERATION_REQUIRED);
+ }
+
+ /**
+ * Retrieves the localizable name of this policy.
+ */
+ public String getName(Locale locale) {
+ return CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME");
+ }
+
+ /**
+ * Retrieves the localizable description of this policy.
+ */
+ public String getText(Locale locale) {
+ return CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT");
+ }
+
+ public void populate(IProfileContext ctx, IRequest request)
+ throws EProfileException {
+
+ Vector<Integer> userRole = new Vector<Integer>();
+ String userRoleString = ctx.get(VAL_USER_ROLES);
+ StringTokenizer tok = new StringTokenizer(userRoleString, ",");
+ while (tok.hasMoreTokens()) {
+ try {
+ userRole.add(new Integer(tok.nextToken()));
+ } catch (NumberFormatException e) {
+ throw new EProfileException("RoleIDs must be integers");
+ }
+ }
+
+ String aor = ctx.get(VAL_AOR);
+
+ String revisionString = ctx.get(VAL_REVISION);
+ int revision = -1;
+ try {
+ revision = Integer.parseInt(revisionString);
+ } catch (NumberFormatException e) {
+ throw new EProfileException("revision must be an integer");
+ }
+
+ String roleDefinition = getConfig(CONFIG_ROLE_DEFINITION);
+
+ IECUserRolesExtension.Operation operation = null;
+ String operationString = ctx.get(VAL_OPERATION).trim();
+ if (operationString.equals("1")
+ || operationString.equalsIgnoreCase("ADD")) {
+ operation = IECUserRolesExtension.Operation.ADD;
+ } else if (operationString.equals("2")
+ || operationString.equalsIgnoreCase("DELETE")) {
+ operation = IECUserRolesExtension.Operation.DELETE;
+ } else if (operationString.equals("3")
+ || operationString.equalsIgnoreCase("CHANGE")) {
+ operation = IECUserRolesExtension.Operation.CHANGE;
+ }
+ String operationRequired = getConfig(CONFIG_OPERATION_REQUIRED);
+ if (operationRequired != null
+ && operationRequired.equalsIgnoreCase("true")
+ && operation == null) {
+ throw new EProfileException("operation is required");
+ }
+
+ // IEEE 1815-2012: "Optional if the authority can guarantee
+ // Certificate.tbsCertificate.serialNumber will always
+ // increase for this user.
+ //
+ BigInteger statusChangeSequenceNumber = null;
+
+ // create extension
+ IECUserRolesExtension ext;
+ try {
+ ext = new IECUserRolesExtension(
+ false,
+ userRole,
+ aor,
+ revision,
+ roleDefinition,
+ operation,
+ statusChangeSequenceNumber
+ );
+ } catch (CertificateException e) {
+ throw new EProfileException(
+ "failed to construct IECUserRoles extension: " +
e.toString());
+ }
+
+ CertificateExtensions exts =
+ request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
+ if (exts == null) {
+ throw new EProfileException("extensions not found");
+ }
+ try {
+ exts.set(IECUserRolesExtension.OID, ext);
+ } catch (IOException e) {
+ CMS.debug("IECUserRolesExtInput: " + e.toString());
+ throw new EProfileException("failed to set IECUserRoles
extension");
+ }
+
+ request.setExtData(EnrollProfile.REQUEST_EXTENSIONS, exts);
+ }
+
+ /**
+ * Return value names
+ */
+ public Enumeration<String> getValueNames() {
+ Vector<String> v = new Vector<String>();
+ v.addElement(VAL_USER_ROLES);
+ v.addElement(VAL_AOR);
+ v.addElement(VAL_REVISION);
+ v.addElement(VAL_OPERATION);
+ return v.elements();
+ }
+
+ public IDescriptor getConfigDescriptor(Locale locale, String name) {
+ if (name.equals(CONFIG_ROLE_DEFINITION)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_ROLE_DEFINITION"));
+ } else if (name.equals(CONFIG_OPERATION_REQUIRED)) {
+ return new Descriptor(IDescriptor.BOOLEAN, null, "false",
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION_REQUIRED"));
+ } else {
+ return null;
+ }
+ }
+
+ /**
+ * Retrieves the descriptor of the given value
+ * parameter by name.
+ */
+ public IDescriptor getValueDescriptor(Locale locale, String name) {
+ if (name.equals(VAL_USER_ROLES)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES"));
+ } else if (name.equals(VAL_AOR)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_AOR"));
+ } else if (name.equals(VAL_REVISION)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_REVISION"));
+ } else if (name.equals(VAL_OPERATION)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale,
"CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION"));
+ }
+ return null;
+ }
+}
diff --git a/base/server/cmsbundle/src/UserMessages.properties
b/base/server/cmsbundle/src/UserMessages.properties
index fe43094e6b2a0531502570bc626da557fc9061ae..194dfb4e6146f118d75324d35067fd78a5549d1a
100644
--- a/base/server/cmsbundle/src/UserMessages.properties
+++ b/base/server/cmsbundle/src/UserMessages.properties
@@ -1074,6 +1074,14 @@ CMS_PROFILE_OUTPUT_CERT_B64=Certificate Base-64 Encoded
CMS_PROFILE_OUTPUT_CMMF_B64=CMMF Base-64 Encoded
CMS_PROFILE_OUTPUT_PKCS7_B64=PKCS #7 Base-64 Encoded
CMS_PROFILE_OUTPUT_DER_B64=DER Base 64 Encoded
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME=IECUserRoles Extension Input
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT=IECUserRoles Extension Input
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES=User Roles
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_AOR=Area of Responsibility (AOR)
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_REVISION=Revision number
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_ROLE_DEFINITION=Role Definition
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION=Operation (Add/Delete/Change)
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION_REQUIRED=Require Operation Value
#######################################################
# Self Tests
#
--
1.9.3
From 288a7d8ee1e3e83518547c6a1e2f6c490a38f6ab Mon Sep 17 00:00:00
2001
From: Fraser Tweedale <ftweedal(a)redhat.com>
Date: Thu, 14 Aug 2014 01:50:11 -0400
Subject: [PATCH] Add IECUserRolesExtDefault profile default
---
base/ca/shared/conf/registry.cfg | 5 +-
.../cms/profile/def/IECUserRolesExtDefault.java | 94 ++++++++++++++++++++++
2 files changed, 98 insertions(+), 1 deletion(-)
create mode 100644
base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
index c4e3ab86b453bec8964d62b3fbdbac14b40f6105..d355d0252651cc538e482aebc9bfec17134f7566
100644
--- a/base/ca/shared/conf/registry.cfg
+++ b/base/ca/shared/conf/registry.cfg
@@ -42,7 +42,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace
Period Constr
constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint
constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint
constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
-defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl
+defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,iecUserRolesExtDefaultImpl
defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault
defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default
defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default
@@ -160,6 +160,9 @@ defaultPolicy.subjectDirAttributesExtDefaultImpl.name=Subject
Directory Attribut
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.class=com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.desc=Inhibit Any-Policy Extension Default
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.name=Inhibit Any-Policy Extension Default
+defaultPolicy.iecUserRolesExtDefaultImpl.class=com.netscape.cms.profile.def.IECUserRolesExtDefault
+defaultPolicy.iecUserRolesExtDefaultImpl.desc=IECUserRoles Extension Default
+defaultPolicy.iecUserRolesExtDefaultImpl.name=IECUserRoles Extension Default
profile.ids=caEnrollImpl,caCACertEnrollImpl,caServerCertEnrollImpl,caUserCertEnrollImpl
profile.caEnrollImpl.class=com.netscape.cms.profile.common.CAEnrollProfile
profile.caEnrollImpl.desc=Certificate Authority Generic Certificate Enrollment Profile
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
new file mode 100644
index 0000000000000000000000000000000000000000..25dfa14b20fe3030d5f53613c7d6f3ac8b0c523c
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
@@ -0,0 +1,94 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.security.extensions.IECUserRolesExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates IECUserRoles extension
+ * into the certificate template.
+ *
+ * @version $Revision$, $Date$
+ */
+public class IECUserRolesExtDefault extends EnrollExtDefault {
+
+ public IDescriptor getConfigDescriptor(Locale locale, String name) {
+ return null;
+ }
+
+ public IDescriptor getValueDescriptor(Locale locale, String name) {
+ return null;
+ }
+
+ public void setValue(String name, Locale locale,
+ X509CertInfo info, String value)
+ throws EPropertyException {
+ }
+
+ public String getValue(String name, Locale locale,
+ X509CertInfo info)
+ throws EPropertyException {
+ return null;
+ }
+
+ public String getText(Locale locale) {
+ return "IECUserRolesExtDefault";
+ //return CMS.getUserMessage(locale,
+ //"CMS_PROFILE_DEF_EXTENDED_KEY_EXT", params);
+ }
+
+ /**
+ * Populates the request with this policy default.
+ */
+ public void populate(IRequest request, X509CertInfo info)
+ throws EProfileException {
+ CMS.debug("START IEC DEFAULT POPULATE");
+ CertificateExtensions exts =
+ request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
+ if (exts == null) {
+ throw new EProfileException("extensions not found");
+ }
+ IECUserRolesExtension ext = null;
+ try {
+ ext = (IECUserRolesExtension) exts.get(IECUserRolesExtension.OID);
+ } catch (IOException e) {
+ throw new EProfileException("failed to get IECUserRoles
extension");
+ }
+
+ addExtension(IECUserRolesExtension.OID, ext, info);
+ CMS.debug("DONE IEC DEFAULT POPULATE");
+ }
+}
--
1.9.3
From 9015b215be29840b008f865aadbaa3f5e6f6ae0c Mon Sep 17 00:00:00
2001
From: Fraser Tweedale <ftweedal(a)redhat.com>
Date: Thu, 14 Aug 2014 02:05:47 -0400
Subject: [PATCH] Add DNP3 ID certificate profile
---
base/ca/shared/conf/CS.cfg.in | 4 +-
base/ca/shared/profiles/ca/caDnp3IdCert.cfg | 61 +++++++++++++++++++++++++++++
2 files changed, 64 insertions(+), 1 deletion(-)
create mode 100644 base/ca/shared/profiles/ca/caDnp3IdCert.cfg
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 4ab8974e6340d81d23bb7f5ea05a07b0936b6463..28e626b3a5c03441dca3529fa3f38da978ec5dc5
100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -961,7 +961,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
os.userid=nobody
-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment,caDnp3IdCert
profile.caUUIDdeviceCert.class_id=caEnrollImpl
profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
profile.caManualRenewal.class_id=caEnrollImpl
@@ -1080,6 +1080,8 @@ profile.caEncUserCert.class_id=caEnrollImpl
profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncUserCert.cfg
profile.caEncECUserCert.class_id=caEnrollImpl
profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncECUserCert.cfg
+profile.caDnp3IdCert.class_id=caEnrollImpl
+profile.caDnp3IdCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDnp3IdCert.cfg
registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/registry.cfg
processor.caProfileProcess.getClientCert=true
processor.caProfileProcess.authzMgr=BasicAclAuthz
diff --git a/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..c17ca805121abcd346c88089388c360401b0cdf9
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
@@ -0,0 +1,61 @@
+desc=Profile for enrolling DNP3 ID certificates
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=DNP3 ID certificate enrollment
+input.list=i1,i2,i3,i4
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=subjectDNInputImpl
+input.i3.class_id=iecUserRolesExtInputImpl
+input.i3.params.role_definition=IEC62351-8
+input.i3.params.operation_required=true
+input.i4.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7
+policyset.serverCertSet.1.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.1.constraint.name=No Constraint
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.6.constraint.name=No Constraint
+policyset.serverCertSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.6.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.6.default.name=Signing Alg
+policyset.serverCertSet.6.default.params.signingAlg=-
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=iecUserRolesExtDefaultImpl
+policyset.serverCertSet.7.default.name=IEC User Roles Extension Default
--
1.9.3
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel