[Pki-devel] [PATCH] 0010..0013 DNP3/IECUserRoles extension support
Fraser Tweedale
ftweedal at redhat.com
Thu Aug 28 05:48:55 UTC 2014
Could someone please have a look at these changes? There's a
plugfest in a couple of weeks that I'm going to be providing
certificates for, so it would be good to get some feedback.
Cheers,
Fraser
On Mon, Aug 18, 2014 at 05:03:25PM +1000, Fraser Tweedale wrote:
> On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:
> > On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
> > > Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
> > > extension support and a DNP3 profile that makes use of it. This is
> > > to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
> > > Authentication v5 (SAv5) standard.
> > >
> > > In brief, the SN and all the IECUserRoles params will be given in
> > > profile inputs, and the key is taken from a CertReqInput.
> > >
> > > There's still a bit of work to go - notably, some of the
> > > IECUserRoles fields are unimplemented, and some of those that *are*
> > > implemented are not yet read out of the profile input but rather are
> > > hardcoded. The extension *does* appear on the certificate, so I
> > > should get that all completed tomorrow.
> > >
> > > Cheers,
> > >
> > > Fraser
> > >
>
> These patches have been completed and are ready for review. New
> versions are attached.
> >From 97009318b965ecc3774b57e47b6aa58f4388d508 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftweedal at redhat.com>
> Date: Mon, 11 Aug 2014 03:10:04 -0400
> Subject: [PATCH] Add IECUserRolesExtension class
>
> ---
> .../security/extensions/IECUserRolesExtension.java | 234 +++++++++++++++++++++
> 1 file changed, 234 insertions(+)
> create mode 100644 base/util/src/netscape/security/extensions/IECUserRolesExtension.java
>
> diff --git a/base/util/src/netscape/security/extensions/IECUserRolesExtension.java b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
> new file mode 100644
> index 0000000000000000000000000000000000000000..2a0866cf39d605c6fd04ef325806060edd7a6bb1
> --- /dev/null
> +++ b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
> @@ -0,0 +1,234 @@
> +// --- BEGIN COPYRIGHT BLOCK ---
> +// This program is free software; you can redistribute it and/or modify
> +// it under the terms of the GNU General Public License as published by
> +// the Free Software Foundation; version 2 of the License.
> +//
> +// This program is distributed in the hope that it will be useful,
> +// but WITHOUT ANY WARRANTY; without even the implied warranty of
> +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +// GNU General Public License for more details.
> +//
> +// You should have received a copy of the GNU General Public License along
> +// with this program; if not, write to the Free Software Foundation, Inc.,
> +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> +//
> +// (C) 2014 Red Hat, Inc.
> +// All rights reserved.
> +// --- END COPYRIGHT BLOCK ---
> +package netscape.security.extensions;
> +
> +import java.io.IOException;
> +import java.io.InputStream;
> +import java.io.OutputStream;
> +import java.math.BigInteger;
> +import java.security.cert.CertificateException;
> +import java.util.Enumeration;
> +import java.util.Vector;
> +
> +import netscape.security.util.BigInt;
> +import netscape.security.util.DerOutputStream;
> +import netscape.security.util.DerValue;
> +import netscape.security.util.ObjectIdentifier;
> +import netscape.security.x509.CertAttrSet;
> +import netscape.security.x509.Extension;
> +import netscape.security.x509.OIDMap;
> +
> +/**
> + * This represents the IEC 62351-8 IECUserRoles extension.
> + */
> +public class IECUserRolesExtension extends Extension implements CertAttrSet {
> + public enum Operation { ADD, DELETE, CHANGE };
> +
> + private static final long serialVersionUID = 172340873242193489L;
> +
> + public static final String OID = "1.2.840.10070.8.1";
> +
> + public static final BigInteger MAX_STATUS_CHANGE_SEQNO =
> + new BigInteger("4294967295");
> +
> + private Vector<Integer> userRole;
> + private String aor;
> + private int revision;
> + private String roleDefinition;
> + private Operation operation;
> + private BigInteger statusChangeSequenceNumber;
> +
> + static {
> + try {
> + OIDMap.addAttribute(IECUserRolesExtension.class.getName(),
> + OID, IECUserRolesExtension.class.getName());
> + } catch (CertificateException e) {
> + }
> + }
> +
> + public IECUserRolesExtension(
> + boolean crit,
> + Vector<Integer> userRole,
> + String aor,
> + int revision,
> + String roleDefinition,
> + Operation operation,
> + BigInteger statusChangeSequenceNumber
> + ) throws CertificateException {
> + try {
> + extensionId = ObjectIdentifier.getObjectIdentifier(OID);
> + } catch (IOException e) {
> + // never here
> + }
> +
> + critical = crit;
> +
> + // userRole SEQUENCE SIZE (1..MAX) OF RoleID
> + // RoleId ::= INTEGER (-32 768..32 767)
> + if (userRole == null)
> + throw new CertificateException("userRole cannot be null");
> + if (userRole.size() < 1)
> + throw new CertificateException("userRole must have at least one element");
> + for (int roleId : userRole) {
> + if (roleId < -32768 || roleId > 32767)
> + throw new CertificateException("RoleId must be in range (-32 768..32 767)");
> + }
> + this.userRole = userRole;
> +
> + // aor (area of responsibility) UTF8String (SIZE(1..64))
> + if (aor == null)
> + throw new CertificateException("aor cannot be null");
> + if (aor.isEmpty() || aor.length() > 64)
> + throw new CertificateException("aor must be of SIZE(1..64)");
> + this.aor = aor;
> +
> + // revision INTEGER (0..255)
> + if (revision < 0 || revision > 255)
> + throw new CertificateException("revision must be in range (0..255)");
> + this.revision = revision;
> +
> + // roleDefinition UTF8String (0..23) OPTIONAL
> + if (roleDefinition != null && roleDefinition.length() > 23)
> + throw new CertificateException("roleDefinition must be of SIZE(0..23)");
> + this.roleDefinition = roleDefinition;
> +
> + // operation Operation OPTIONAL
> + // Operation ::= ENUMERATED { Add (1), Delete (2), Change (3) }
> + this.operation = operation;
> +
> + // statusChangeSequenceNumber INTEGER (0..4 294 967 295) OPTIONAL
> + if (statusChangeSequenceNumber != null && (
> + statusChangeSequenceNumber.compareTo(BigInteger.ZERO) < 0
> + || statusChangeSequenceNumber.compareTo(MAX_STATUS_CHANGE_SEQNO) > 1))
> + throw new CertificateException(
> + "statusChangeSequenceNumber must be in range (0..4 294 967 295)");
> + this.statusChangeSequenceNumber = statusChangeSequenceNumber;
> + }
> +
> + public IECUserRolesExtension(Boolean crit, Object byteVal)
> + throws IOException {
> + extensionId = ObjectIdentifier.getObjectIdentifier(OID);
> + critical = crit.booleanValue();
> + extensionValue = ((byte[]) byteVal).clone();
> + }
> +
> + @Override
> + public String toString() {
> + String presentation = "oid=" + OID + " ";
> +
> + if (critical) {
> + presentation += "critical=true";
> + }
> + if (extensionValue != null) {
> + StringBuffer extByteValue = new StringBuffer(" val=");
> + for (int i = 0; i < extensionValue.length; i++) {
> + extByteValue.append(extensionValue[i] + " ");
> + }
> + presentation += extByteValue.toString();
> + }
> + return presentation;
> + }
> +
> + public void decode(InputStream in)
> + throws CertificateException, IOException {
> + }
> +
> + public void encode(DerOutputStream out) throws IOException {
> + encodeExtValue();
> + super.encode(out);
> + }
> +
> + public void encode(OutputStream out)
> + throws CertificateException, IOException {
> + DerOutputStream temp = new DerOutputStream();
> + encode(temp);
> + out.write(temp.toByteArray());
> + }
> +
> + public void set(String name, Object obj)
> + throws CertificateException, IOException {
> + // NOT USED
> + }
> +
> + public Object get(String name) throws CertificateException, IOException {
> + // NOT USED
> + return null;
> + }
> +
> + public Enumeration<String> getAttributeNames() {
> + return null;
> + }
> +
> + public String getName() {
> + return OID;
> + }
> +
> + public void delete(String name)
> + throws CertificateException, IOException {
> + // NOT USED
> + }
> +
> + private void encodeExtValue() throws IOException {
> + if (extensionValue != null)
> + return;
> +
> + DerOutputStream outUserRoleInfo = new DerOutputStream();
> +
> + DerOutputStream outRoles = new DerOutputStream();
> + for (int role : userRole) {
> + outRoles.putInteger(new BigInt(role));
> + }
> + outUserRoleInfo.write(DerValue.tag_Sequence, outRoles);
> +
> + outUserRoleInfo.putUTF8String(aor);
> +
> + outUserRoleInfo.putInteger(new BigInt(revision));
> +
> + if (roleDefinition != null)
> + outUserRoleInfo.putUTF8String(roleDefinition);
> +
> + if (operation != null) {
> + int op = 0;
> + switch (operation) {
> + case ADD:
> + op = 1;
> + break;
> + case DELETE:
> + op = 2;
> + break;
> + case CHANGE:
> + op = 3;
> + break;
> + }
> + outUserRoleInfo.putEnumerated(op);
> + }
> +
> + if (statusChangeSequenceNumber != null)
> + outUserRoleInfo.putInteger(new BigInt(statusChangeSequenceNumber));
> +
> + // write UserRoleInfo SEQUENCE (of the above information)
> + DerOutputStream outIECUserRoles = new DerOutputStream();
> + outIECUserRoles.write(DerValue.tag_Sequence, outUserRoleInfo);
> +
> + // write IECUserRoles SEQUENCE OF UserRoleInfo
> + DerOutputStream out = new DerOutputStream();
> + out.write(DerValue.tag_Sequence, outIECUserRoles);
> +
> + extensionValue = out.toByteArray();
> + }
> +}
> --
> 1.9.3
>
> >From f32268e1e158ff6d80b9262386165783ce92aaca Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftweedal at redhat.com>
> Date: Tue, 12 Aug 2014 04:08:30 -0400
> Subject: [PATCH] Add IECUserRolesExtInput profile input
>
> ---
> base/ca/shared/conf/registry.cfg | 5 +-
> .../cms/profile/input/IECUserRolesExtInput.java | 204 +++++++++++++++++++++
> base/server/cmsbundle/src/UserMessages.properties | 8 +
> 3 files changed, 216 insertions(+), 1 deletion(-)
> create mode 100644 base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
>
> diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
> index 9cd4e6d5c89b6e9bd0323fd3fd272b4af1de9568..c4e3ab86b453bec8964d62b3fbdbac14b40f6105 100644
> --- a/base/ca/shared/conf/registry.cfg
> +++ b/base/ca/shared/conf/registry.cfg
> @@ -173,7 +173,7 @@ profile.caServerCertEnrollImpl.name=Server Certificate Enrollment Profile
> profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile
> profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment Profile
> profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile
> -profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl
> +profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl,iecUserRolesExtInputImpl
> profileInput.subjectAltNameExtInputImpl.class=com.netscape.cms.profile.input.SubjectAltNameExtInput
> profileInput.subjectAltNameExtInputImpl.desc=SAN Input
> profileInput.subjectAltNameExtInputImpl.name=SAN Input
> @@ -222,6 +222,9 @@ profileInput.subjectDNInputImpl.name=Subject DN Input
> profileInput.subjectNameInputImpl.class=com.netscape.cms.profile.input.SubjectNameInput
> profileInput.subjectNameInputImpl.desc=Subject Name Input
> profileInput.subjectNameInputImpl.name=Subject Name Input
> +profileInput.iecUserRolesExtInputImpl.class=com.netscape.cms.profile.input.IECUserRolesExtInput
> +profileInput.iecUserRolesExtInputImpl.desc=IECUserRoles Extension Input
> +profileInput.iecUserRolesExtInputImpl.name=IECUserRoles Extension Input
> profileOutput.ids=certOutputImpl,cmmfOutputImpl,pkcs7OutputImpl,nsNKeyOutputImpl
> profileOutput.certOutputImpl.class=com.netscape.cms.profile.output.CertOutput
> profileOutput.certOutputImpl.desc=Certificate Output
> diff --git a/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
> new file mode 100644
> index 0000000000000000000000000000000000000000..32d77d696208c17fe2dd70ea3562eb05d5b24455
> --- /dev/null
> +++ b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
> @@ -0,0 +1,204 @@
> +// --- BEGIN COPYRIGHT BLOCK ---
> +// This program is free software; you can redistribute it and/or modify
> +// it under the terms of the GNU General Public License as published by
> +// the Free Software Foundation; version 2 of the License.
> +//
> +// This program is distributed in the hope that it will be useful,
> +// but WITHOUT ANY WARRANTY; without even the implied warranty of
> +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +// GNU General Public License for more details.
> +//
> +// You should have received a copy of the GNU General Public License along
> +// with this program; if not, write to the Free Software Foundation, Inc.,
> +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> +//
> +// (C) 2014 Red Hat, Inc.
> +// All rights reserved.
> +// --- END COPYRIGHT BLOCK ---
> +
> +package com.netscape.cms.profile.input;
> +
> +import java.io.IOException;
> +import java.math.BigInteger;
> +import java.security.cert.CertificateException;
> +import java.util.Enumeration;
> +import java.util.Locale;
> +import java.util.StringTokenizer;
> +import java.util.Vector;
> +
> +import netscape.security.extensions.IECUserRolesExtension;
> +import netscape.security.x509.CertificateExtensions;
> +import netscape.security.x509.X509CertInfo;
> +
> +import com.netscape.certsrv.apps.CMS;
> +import com.netscape.certsrv.base.EBaseException;
> +import com.netscape.certsrv.base.IConfigStore;
> +import com.netscape.certsrv.profile.EProfileException;
> +import com.netscape.certsrv.profile.IProfile;
> +import com.netscape.certsrv.profile.IProfileContext;
> +import com.netscape.certsrv.profile.IProfileInput;
> +import com.netscape.certsrv.property.Descriptor;
> +import com.netscape.certsrv.property.IDescriptor;
> +import com.netscape.certsrv.request.IRequest;
> +import com.netscape.cms.profile.common.EnrollProfile;
> +
> +
> +/**
> + * This plugin accepts IEC 62351-8 IECUserRoles extension data from user.
> + */
> +public class IECUserRolesExtInput extends EnrollInput implements IProfileInput {
> + public static final String CONFIG_ROLE_DEFINITION = "role_definition";
> + public static final String CONFIG_OPERATION_REQUIRED = "operation_required";
> +
> + public static final String VAL_USER_ROLES = "userRole";
> + public static final String VAL_AOR = "aor";
> + public static final String VAL_REVISION = "revision";
> + public static final String VAL_OPERATION = "operation";
> +
> + public IECUserRolesExtInput() {
> + addConfigName(CONFIG_ROLE_DEFINITION);
> + addConfigName(CONFIG_OPERATION_REQUIRED);
> + }
> +
> + /**
> + * Retrieves the localizable name of this policy.
> + */
> + public String getName(Locale locale) {
> + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME");
> + }
> +
> + /**
> + * Retrieves the localizable description of this policy.
> + */
> + public String getText(Locale locale) {
> + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT");
> + }
> +
> + public void populate(IProfileContext ctx, IRequest request)
> + throws EProfileException {
> +
> + Vector<Integer> userRole = new Vector<Integer>();
> + String userRoleString = ctx.get(VAL_USER_ROLES);
> + StringTokenizer tok = new StringTokenizer(userRoleString, ",");
> + while (tok.hasMoreTokens()) {
> + try {
> + userRole.add(new Integer(tok.nextToken()));
> + } catch (NumberFormatException e) {
> + throw new EProfileException("RoleIDs must be integers");
> + }
> + }
> +
> + String aor = ctx.get(VAL_AOR);
> +
> + String revisionString = ctx.get(VAL_REVISION);
> + int revision = -1;
> + try {
> + revision = Integer.parseInt(revisionString);
> + } catch (NumberFormatException e) {
> + throw new EProfileException("revision must be an integer");
> + }
> +
> + String roleDefinition = getConfig(CONFIG_ROLE_DEFINITION);
> +
> + IECUserRolesExtension.Operation operation = null;
> + String operationString = ctx.get(VAL_OPERATION).trim();
> + if (operationString.equals("1")
> + || operationString.equalsIgnoreCase("ADD")) {
> + operation = IECUserRolesExtension.Operation.ADD;
> + } else if (operationString.equals("2")
> + || operationString.equalsIgnoreCase("DELETE")) {
> + operation = IECUserRolesExtension.Operation.DELETE;
> + } else if (operationString.equals("3")
> + || operationString.equalsIgnoreCase("CHANGE")) {
> + operation = IECUserRolesExtension.Operation.CHANGE;
> + }
> + String operationRequired = getConfig(CONFIG_OPERATION_REQUIRED);
> + if (operationRequired != null
> + && operationRequired.equalsIgnoreCase("true")
> + && operation == null) {
> + throw new EProfileException("operation is required");
> + }
> +
> + // IEEE 1815-2012: "Optional if the authority can guarantee
> + // Certificate.tbsCertificate.serialNumber will always
> + // increase for this user.
> + //
> + BigInteger statusChangeSequenceNumber = null;
> +
> + // create extension
> + IECUserRolesExtension ext;
> + try {
> + ext = new IECUserRolesExtension(
> + false,
> + userRole,
> + aor,
> + revision,
> + roleDefinition,
> + operation,
> + statusChangeSequenceNumber
> + );
> + } catch (CertificateException e) {
> + throw new EProfileException(
> + "failed to construct IECUserRoles extension: " + e.toString());
> + }
> +
> + CertificateExtensions exts =
> + request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
> + if (exts == null) {
> + throw new EProfileException("extensions not found");
> + }
> + try {
> + exts.set(IECUserRolesExtension.OID, ext);
> + } catch (IOException e) {
> + CMS.debug("IECUserRolesExtInput: " + e.toString());
> + throw new EProfileException("failed to set IECUserRoles extension");
> + }
> +
> + request.setExtData(EnrollProfile.REQUEST_EXTENSIONS, exts);
> + }
> +
> + /**
> + * Return value names
> + */
> + public Enumeration<String> getValueNames() {
> + Vector<String> v = new Vector<String>();
> + v.addElement(VAL_USER_ROLES);
> + v.addElement(VAL_AOR);
> + v.addElement(VAL_REVISION);
> + v.addElement(VAL_OPERATION);
> + return v.elements();
> + }
> +
> + public IDescriptor getConfigDescriptor(Locale locale, String name) {
> + if (name.equals(CONFIG_ROLE_DEFINITION)) {
> + return new Descriptor(IDescriptor.STRING, null, null,
> + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_ROLE_DEFINITION"));
> + } else if (name.equals(CONFIG_OPERATION_REQUIRED)) {
> + return new Descriptor(IDescriptor.BOOLEAN, null, "false",
> + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION_REQUIRED"));
> + } else {
> + return null;
> + }
> + }
> +
> + /**
> + * Retrieves the descriptor of the given value
> + * parameter by name.
> + */
> + public IDescriptor getValueDescriptor(Locale locale, String name) {
> + if (name.equals(VAL_USER_ROLES)) {
> + return new Descriptor(IDescriptor.STRING, null, null,
> + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES"));
> + } else if (name.equals(VAL_AOR)) {
> + return new Descriptor(IDescriptor.STRING, null, null,
> + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_AOR"));
> + } else if (name.equals(VAL_REVISION)) {
> + return new Descriptor(IDescriptor.STRING, null, null,
> + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_REVISION"));
> + } else if (name.equals(VAL_OPERATION)) {
> + return new Descriptor(IDescriptor.STRING, null, null,
> + CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION"));
> + }
> + return null;
> + }
> +}
> diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
> index fe43094e6b2a0531502570bc626da557fc9061ae..194dfb4e6146f118d75324d35067fd78a5549d1a 100644
> --- a/base/server/cmsbundle/src/UserMessages.properties
> +++ b/base/server/cmsbundle/src/UserMessages.properties
> @@ -1074,6 +1074,14 @@ CMS_PROFILE_OUTPUT_CERT_B64=Certificate Base-64 Encoded
> CMS_PROFILE_OUTPUT_CMMF_B64=CMMF Base-64 Encoded
> CMS_PROFILE_OUTPUT_PKCS7_B64=PKCS #7 Base-64 Encoded
> CMS_PROFILE_OUTPUT_DER_B64=DER Base 64 Encoded
> +CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME=IECUserRoles Extension Input
> +CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT=IECUserRoles Extension Input
> +CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES=User Roles
> +CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_AOR=Area of Responsibility (AOR)
> +CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_REVISION=Revision number
> +CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_ROLE_DEFINITION=Role Definition
> +CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION=Operation (Add/Delete/Change)
> +CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION_REQUIRED=Require Operation Value
> #######################################################
> # Self Tests
> #
> --
> 1.9.3
>
> From 288a7d8ee1e3e83518547c6a1e2f6c490a38f6ab Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftweedal at redhat.com>
> Date: Thu, 14 Aug 2014 01:50:11 -0400
> Subject: [PATCH] Add IECUserRolesExtDefault profile default
>
> ---
> base/ca/shared/conf/registry.cfg | 5 +-
> .../cms/profile/def/IECUserRolesExtDefault.java | 94 ++++++++++++++++++++++
> 2 files changed, 98 insertions(+), 1 deletion(-)
> create mode 100644 base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
>
> diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
> index c4e3ab86b453bec8964d62b3fbdbac14b40f6105..d355d0252651cc538e482aebc9bfec17134f7566 100644
> --- a/base/ca/shared/conf/registry.cfg
> +++ b/base/ca/shared/conf/registry.cfg
> @@ -42,7 +42,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr
> constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint
> constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint
> constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
> -defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl
> +defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,iecUserRolesExtDefaultImpl
> defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault
> defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default
> defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default
> @@ -160,6 +160,9 @@ defaultPolicy.subjectDirAttributesExtDefaultImpl.name=Subject Directory Attribut
> defaultPolicy.inhibitAnyPolicyExtDefaultImpl.class=com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
> defaultPolicy.inhibitAnyPolicyExtDefaultImpl.desc=Inhibit Any-Policy Extension Default
> defaultPolicy.inhibitAnyPolicyExtDefaultImpl.name=Inhibit Any-Policy Extension Default
> +defaultPolicy.iecUserRolesExtDefaultImpl.class=com.netscape.cms.profile.def.IECUserRolesExtDefault
> +defaultPolicy.iecUserRolesExtDefaultImpl.desc=IECUserRoles Extension Default
> +defaultPolicy.iecUserRolesExtDefaultImpl.name=IECUserRoles Extension Default
> profile.ids=caEnrollImpl,caCACertEnrollImpl,caServerCertEnrollImpl,caUserCertEnrollImpl
> profile.caEnrollImpl.class=com.netscape.cms.profile.common.CAEnrollProfile
> profile.caEnrollImpl.desc=Certificate Authority Generic Certificate Enrollment Profile
> diff --git a/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
> new file mode 100644
> index 0000000000000000000000000000000000000000..25dfa14b20fe3030d5f53613c7d6f3ac8b0c523c
> --- /dev/null
> +++ b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
> @@ -0,0 +1,94 @@
> +// --- BEGIN COPYRIGHT BLOCK ---
> +// This program is free software; you can redistribute it and/or modify
> +// it under the terms of the GNU General Public License as published by
> +// the Free Software Foundation; version 2 of the License.
> +//
> +// This program is distributed in the hope that it will be useful,
> +// but WITHOUT ANY WARRANTY; without even the implied warranty of
> +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +// GNU General Public License for more details.
> +//
> +// You should have received a copy of the GNU General Public License along
> +// with this program; if not, write to the Free Software Foundation, Inc.,
> +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> +//
> +// (C) 2014 Red Hat, Inc.
> +// All rights reserved.
> +// --- END COPYRIGHT BLOCK ---
> +package com.netscape.cms.profile.def;
> +
> +import java.io.IOException;
> +import java.util.Enumeration;
> +import java.util.Locale;
> +import java.util.StringTokenizer;
> +
> +import netscape.security.extensions.IECUserRolesExtension;
> +import netscape.security.x509.CertificateExtensions;
> +import netscape.security.x509.X509CertInfo;
> +
> +import com.netscape.certsrv.apps.CMS;
> +import com.netscape.certsrv.base.IConfigStore;
> +import com.netscape.certsrv.profile.EProfileException;
> +import com.netscape.certsrv.profile.IProfile;
> +import com.netscape.certsrv.property.Descriptor;
> +import com.netscape.certsrv.property.EPropertyException;
> +import com.netscape.certsrv.property.IDescriptor;
> +import com.netscape.certsrv.request.IRequest;
> +import com.netscape.cms.profile.common.EnrollProfile;
> +
> +/**
> + * This class implements an enrollment default policy
> + * that populates IECUserRoles extension
> + * into the certificate template.
> + *
> + * @version $Revision$, $Date$
> + */
> +public class IECUserRolesExtDefault extends EnrollExtDefault {
> +
> + public IDescriptor getConfigDescriptor(Locale locale, String name) {
> + return null;
> + }
> +
> + public IDescriptor getValueDescriptor(Locale locale, String name) {
> + return null;
> + }
> +
> + public void setValue(String name, Locale locale,
> + X509CertInfo info, String value)
> + throws EPropertyException {
> + }
> +
> + public String getValue(String name, Locale locale,
> + X509CertInfo info)
> + throws EPropertyException {
> + return null;
> + }
> +
> + public String getText(Locale locale) {
> + return "IECUserRolesExtDefault";
> + //return CMS.getUserMessage(locale,
> + //"CMS_PROFILE_DEF_EXTENDED_KEY_EXT", params);
> + }
> +
> + /**
> + * Populates the request with this policy default.
> + */
> + public void populate(IRequest request, X509CertInfo info)
> + throws EProfileException {
> + CMS.debug("START IEC DEFAULT POPULATE");
> + CertificateExtensions exts =
> + request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
> + if (exts == null) {
> + throw new EProfileException("extensions not found");
> + }
> + IECUserRolesExtension ext = null;
> + try {
> + ext = (IECUserRolesExtension) exts.get(IECUserRolesExtension.OID);
> + } catch (IOException e) {
> + throw new EProfileException("failed to get IECUserRoles extension");
> + }
> +
> + addExtension(IECUserRolesExtension.OID, ext, info);
> + CMS.debug("DONE IEC DEFAULT POPULATE");
> + }
> +}
> --
> 1.9.3
>
> From 9015b215be29840b008f865aadbaa3f5e6f6ae0c Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftweedal at redhat.com>
> Date: Thu, 14 Aug 2014 02:05:47 -0400
> Subject: [PATCH] Add DNP3 ID certificate profile
>
> ---
> base/ca/shared/conf/CS.cfg.in | 4 +-
> base/ca/shared/profiles/ca/caDnp3IdCert.cfg | 61 +++++++++++++++++++++++++++++
> 2 files changed, 64 insertions(+), 1 deletion(-)
> create mode 100644 base/ca/shared/profiles/ca/caDnp3IdCert.cfg
>
> diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
> index 4ab8974e6340d81d23bb7f5ea05a07b0936b6463..28e626b3a5c03441dca3529fa3f38da978ec5dc5 100644
> --- a/base/ca/shared/conf/CS.cfg.in
> +++ b/base/ca/shared/conf/CS.cfg.in
> @@ -961,7 +961,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
> oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
> oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
> os.userid=nobody
> -profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
> +profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment,caDnp3IdCert
> profile.caUUIDdeviceCert.class_id=caEnrollImpl
> profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
> profile.caManualRenewal.class_id=caEnrollImpl
> @@ -1080,6 +1080,8 @@ profile.caEncUserCert.class_id=caEnrollImpl
> profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncUserCert.cfg
> profile.caEncECUserCert.class_id=caEnrollImpl
> profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncECUserCert.cfg
> +profile.caDnp3IdCert.class_id=caEnrollImpl
> +profile.caDnp3IdCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDnp3IdCert.cfg
> registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/registry.cfg
> processor.caProfileProcess.getClientCert=true
> processor.caProfileProcess.authzMgr=BasicAclAuthz
> diff --git a/base/ca/shared/profiles/ca/caDnp3IdCert.cfg b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
> new file mode 100644
> index 0000000000000000000000000000000000000000..c17ca805121abcd346c88089388c360401b0cdf9
> --- /dev/null
> +++ b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
> @@ -0,0 +1,61 @@
> +desc=Profile for enrolling DNP3 ID certificates
> +visible=true
> +enable=true
> +enableBy=admin
> +auth.class_id=
> +name=DNP3 ID certificate enrollment
> +input.list=i1,i2,i3,i4
> +input.i1.class_id=certReqInputImpl
> +input.i2.class_id=subjectDNInputImpl
> +input.i3.class_id=iecUserRolesExtInputImpl
> +input.i3.params.role_definition=IEC62351-8
> +input.i3.params.operation_required=true
> +input.i4.class_id=submitterInfoInputImpl
> +output.list=o1
> +output.o1.class_id=certOutputImpl
> +policyset.list=serverCertSet
> +policyset.serverCertSet.list=1,2,3,4,5,6,7
> +policyset.serverCertSet.1.constraint.class_id=noConstraintImpl
> +policyset.serverCertSet.1.constraint.name=No Constraint
> +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
> +policyset.serverCertSet.1.default.name=Subject Name Default
> +policyset.serverCertSet.1.default.params.name=
> +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
> +policyset.serverCertSet.2.constraint.name=Validity Constraint
> +policyset.serverCertSet.2.constraint.params.range=720
> +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
> +policyset.serverCertSet.2.constraint.params.notAfterCheck=false
> +policyset.serverCertSet.2.default.class_id=validityDefaultImpl
> +policyset.serverCertSet.2.default.name=Validity Default
> +policyset.serverCertSet.2.default.params.range=720
> +policyset.serverCertSet.2.default.params.startTime=0
> +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
> +policyset.serverCertSet.3.constraint.name=Key Constraint
> +policyset.serverCertSet.3.constraint.params.keyType=-
> +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
> +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
> +policyset.serverCertSet.3.default.name=Key Default
> +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
> +policyset.serverCertSet.4.constraint.name=No Constraint
> +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
> +policyset.serverCertSet.4.default.name=Authority Key Identifier Default
> +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
> +policyset.serverCertSet.5.constraint.name=No Constraint
> +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
> +policyset.serverCertSet.5.default.name=AIA Extension Default
> +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
> +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
> +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
> +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
> +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
> +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
> +policyset.serverCertSet.6.constraint.class_id=signingAlgConstraintImpl
> +policyset.serverCertSet.6.constraint.name=No Constraint
> +policyset.serverCertSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
> +policyset.serverCertSet.6.default.class_id=signingAlgDefaultImpl
> +policyset.serverCertSet.6.default.name=Signing Alg
> +policyset.serverCertSet.6.default.params.signingAlg=-
> +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
> +policyset.serverCertSet.7.constraint.name=No Constraint
> +policyset.serverCertSet.7.default.class_id=iecUserRolesExtDefaultImpl
> +policyset.serverCertSet.7.default.name=IEC User Roles Extension Default
> --
> 1.9.3
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list