[Pki-devel] [PATCH] 0010..0013 DNP3/IECUserRoles extension support
Fraser Tweedale
ftweedal at redhat.com
Thu Aug 14 06:26:59 UTC 2014
On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
> Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
> extension support and a DNP3 profile that makes use of it. This is
> to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
> Authentication v5 (SAv5) standard.
>
> In brief, the SN and all the IECUserRoles params will be given in
> profile inputs, and the key is taken from a CertReqInput.
>
> There's still a bit of work to go - notably, some of the
> IECUserRoles fields are unimplemented, and some of those that *are*
> implemented are not yet read out of the profile input but rather are
> hardcoded. The extension *does* appear on the certificate, so I
> should get that all completed tomorrow.
>
> Cheers,
>
> Fraser
>
And it would probably help if I attached the patches! Sorry for the
noise.
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
>From 9867ca570ed1a332ab0cd8d573158279539488bd Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 11 Aug 2014 03:10:04 -0400
Subject: [PATCH] Add IECUserRolesExtension class
---
.../security/extensions/IECUserRolesExtension.java | 174 +++++++++++++++++++++
1 file changed, 174 insertions(+)
create mode 100644 base/util/src/netscape/security/extensions/IECUserRolesExtension.java
diff --git a/base/util/src/netscape/security/extensions/IECUserRolesExtension.java b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
new file mode 100644
index 0000000000000000000000000000000000000000..4bf9a0a2753d5b6dd072d462fcf7f3c28a96cc35
--- /dev/null
+++ b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
@@ -0,0 +1,174 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package netscape.security.extensions;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Vector;
+
+import netscape.security.util.BigInt;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertAttrSet;
+import netscape.security.x509.Extension;
+import netscape.security.x509.OIDMap;
+
+/**
+ * This represents the IEC 62351-8 IECUserRoles extension.
+ */
+public class IECUserRolesExtension extends Extension implements CertAttrSet {
+ /**
+ *
+ */
+ private static final long serialVersionUID = 172340873242193489L;
+
+ public static final String OID = "1.2.840.10070.8.1";
+
+ private Vector<Integer> roles;
+ private int op;
+
+ static {
+ try {
+ OIDMap.addAttribute(IECUserRolesExtension.class.getName(),
+ OID, IECUserRolesExtension.class.getName());
+ } catch (CertificateException e) {
+ }
+ }
+
+ public IECUserRolesExtension(Vector<Integer> userRoles, int operation) {
+ try {
+ extensionId = ObjectIdentifier.getObjectIdentifier(OID);
+ } catch (IOException e) {
+ // never here
+ }
+
+ roles = userRoles;
+ op = operation; // TODO restrict to 1..3
+ }
+
+ public IECUserRolesExtension(Boolean crit, Object byteVal)
+ throws IOException {
+ extensionId = ObjectIdentifier.getObjectIdentifier(OID);
+ critical = crit.booleanValue();
+ extensionValue = ((byte[]) byteVal).clone();
+ }
+
+ @Override
+ public String toString() {
+ String presentation = "oid=" + OID + " ";
+
+ if (critical) {
+ presentation += "critical=true";
+ }
+ if (extensionValue != null) {
+ StringBuffer extByteValue = new StringBuffer(" val=");
+ for (int i = 0; i < extensionValue.length; i++) {
+ extByteValue.append(extensionValue[i] + " ");
+ }
+ presentation += extByteValue.toString();
+ }
+ return presentation;
+ }
+
+ public void decode(InputStream in)
+ throws CertificateException, IOException {
+ }
+
+ public void encode(DerOutputStream out) throws IOException {
+ encodeExtValue();
+ super.encode(out);
+ }
+
+ public void encode(OutputStream out)
+ throws CertificateException, IOException {
+ DerOutputStream temp = new DerOutputStream();
+ encode(temp);
+ out.write(temp.toByteArray());
+ }
+
+ public void set(String name, Object obj)
+ throws CertificateException, IOException {
+ // NOT USED
+ }
+
+ public Object get(String name) throws CertificateException, IOException {
+ // NOT USED
+ return null;
+ }
+
+ public Enumeration<String> getAttributeNames() {
+ return null;
+ }
+
+ public String getName() {
+ return OID;
+ }
+
+ public void delete(String name)
+ throws CertificateException, IOException {
+ // NOT USED
+ }
+
+ private void encodeExtValue() throws IOException {
+ if (extensionValue != null)
+ return;
+
+ DerOutputStream outUserRoleInfo = new DerOutputStream();
+
+ // write userRole SEQUENCE SIZE (1..MAX) OF RoleID
+ DerOutputStream outRoles = new DerOutputStream();
+ for (int role : roles) {
+ outRoles.putInteger(new BigInt(role));
+ }
+ outUserRoleInfo.write(DerValue.tag_Sequence, outRoles);
+
+ // write aor (area of responsibility) UTF8String (SIZE(1..64))
+ outUserRoleInfo.putUTF8String(""); // TODO aor parameter
+
+ // write revision INTEGER (0..255)
+ outUserRoleInfo.putInteger(new BigInt(1)); // TODO revision parameter
+
+ // write roleDefinition UTF8String (0..23) OPTIONAL
+ String roleDefinition = "IEC62351-8";
+ outUserRoleInfo.putUTF8String(roleDefinition);
+
+ // write operation Operation OPTIONAL
+ if (op >= 1 && op <= 3) {
+ outUserRoleInfo.putEnumerated(op);
+ } else {
+ outUserRoleInfo.putNull();
+ }
+
+ // write statusChangeSequenceNumber INTEGER (0.. 4 294 967 295) OPTIONAL
+ outUserRoleInfo.putNull(); // TODO statusChangeSequenceNumber parameter
+
+ // write UserRoleInfo SEQUENCE (of the above information)
+ DerOutputStream outIECUserRoles = new DerOutputStream();
+ outIECUserRoles.write(DerValue.tag_Sequence, outUserRoleInfo);
+
+ // write IECUserRoles SEQUENCE OF UserRoleInfo
+ DerOutputStream out = new DerOutputStream();
+ out.write(DerValue.tag_Sequence, outIECUserRoles);
+
+ extensionValue = out.toByteArray();
+ }
+}
--
1.9.3
-------------- next part --------------
>From 0c14124f1180c9d485a676265842e0ceeeb28e2f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 12 Aug 2014 04:08:30 -0400
Subject: [PATCH] Add IECUserRolesExtInput profile input
---
base/ca/shared/conf/registry.cfg | 5 +-
.../cms/profile/input/IECUserRolesExtInput.java | 115 +++++++++++++++++++++
base/server/cmsbundle/src/UserMessages.properties | 5 +
3 files changed, 124 insertions(+), 1 deletion(-)
create mode 100644 base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
index 9cd4e6d5c89b6e9bd0323fd3fd272b4af1de9568..c4e3ab86b453bec8964d62b3fbdbac14b40f6105 100644
--- a/base/ca/shared/conf/registry.cfg
+++ b/base/ca/shared/conf/registry.cfg
@@ -173,7 +173,7 @@ profile.caServerCertEnrollImpl.name=Server Certificate Enrollment Profile
profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile
profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment Profile
profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile
-profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl
+profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl,iecUserRolesExtInputImpl
profileInput.subjectAltNameExtInputImpl.class=com.netscape.cms.profile.input.SubjectAltNameExtInput
profileInput.subjectAltNameExtInputImpl.desc=SAN Input
profileInput.subjectAltNameExtInputImpl.name=SAN Input
@@ -222,6 +222,9 @@ profileInput.subjectDNInputImpl.name=Subject DN Input
profileInput.subjectNameInputImpl.class=com.netscape.cms.profile.input.SubjectNameInput
profileInput.subjectNameInputImpl.desc=Subject Name Input
profileInput.subjectNameInputImpl.name=Subject Name Input
+profileInput.iecUserRolesExtInputImpl.class=com.netscape.cms.profile.input.IECUserRolesExtInput
+profileInput.iecUserRolesExtInputImpl.desc=IECUserRoles Extension Input
+profileInput.iecUserRolesExtInputImpl.name=IECUserRoles Extension Input
profileOutput.ids=certOutputImpl,cmmfOutputImpl,pkcs7OutputImpl,nsNKeyOutputImpl
profileOutput.certOutputImpl.class=com.netscape.cms.profile.output.CertOutput
profileOutput.certOutputImpl.desc=Certificate Output
diff --git a/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
new file mode 100644
index 0000000000000000000000000000000000000000..c516c8cb0115802a8c9761f6cf2aea6ca501cb2b
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
@@ -0,0 +1,115 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.profile.input;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Vector;
+
+import netscape.security.extensions.IECUserRolesExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+
+/**
+ * This plugin accepts IEC 62351-8 IECUserRoles extension data from user.
+ */
+public class IECUserRolesExtInput extends EnrollInput implements IProfileInput {
+ public static final String VAL_USER_ROLES = "userRoles";
+ public static final String VAL_OPERATION = "operation";
+ public static final String VAL_STATUS_CHANGE_SEQ = "statusChangeSeq";
+
+ /**
+ * Retrieves the localizable name of this policy.
+ */
+ public String getName(Locale locale) {
+ return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME");
+ }
+
+ /**
+ * Retrieves the localizable description of this policy.
+ */
+ public String getText(Locale locale) {
+ return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT");
+ }
+
+ public void populate(IProfileContext ctx, IRequest request)
+ throws EProfileException {
+ Vector<Integer> roles = new Vector<Integer>();
+ String operation = ctx.get(VAL_OPERATION);
+ int op = 1;
+ IECUserRolesExtension ext = new IECUserRolesExtension(roles, op);
+
+ CertificateExtensions exts =
+ request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
+ if (exts == null) {
+ throw new EProfileException("extensions not found");
+ }
+ try {
+ exts.set(IECUserRolesExtension.OID, ext);
+ } catch (IOException e) {
+ CMS.debug("IECUserRolesExtInput: " + e.toString());
+ throw new EProfileException("failed to set IECUserRoles extension");
+ }
+
+ request.setExtData(EnrollProfile.REQUEST_EXTENSIONS, exts);
+ }
+
+ /**
+ * Return value names
+ */
+ public Enumeration<String> getValueNames() {
+ Vector<String> v = new Vector<String>();
+ v.addElement(VAL_USER_ROLES);
+ v.addElement(VAL_OPERATION);
+ //v.addElement(VAL_STATUS_CHANGE_SEQ);
+ return v.elements();
+ }
+
+ /**
+ * Retrieves the descriptor of the given value
+ * parameter by name.
+ */
+ public IDescriptor getValueDescriptor(Locale locale, String name) {
+ if (name.equals(VAL_USER_ROLES)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES"));
+ } else if (name.equals(VAL_OPERATION)) {
+ return new Descriptor(IDescriptor.STRING, null, null,
+ CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION"));
+ } else if (name.equals(VAL_STATUS_CHANGE_SEQ)) {
+ return new Descriptor(IDescriptor.INTEGER, null, null,
+ CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_STATUS_CHANGE_SEQ"));
+ }
+ return null;
+ }
+}
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
index fe43094e6b2a0531502570bc626da557fc9061ae..ce7f950fc8d3612327483bfa10cd86378e693a7c 100644
--- a/base/server/cmsbundle/src/UserMessages.properties
+++ b/base/server/cmsbundle/src/UserMessages.properties
@@ -1074,6 +1074,11 @@ CMS_PROFILE_OUTPUT_CERT_B64=Certificate Base-64 Encoded
CMS_PROFILE_OUTPUT_CMMF_B64=CMMF Base-64 Encoded
CMS_PROFILE_OUTPUT_PKCS7_B64=PKCS #7 Base-64 Encoded
CMS_PROFILE_OUTPUT_DER_B64=DER Base 64 Encoded
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME=IECUserRoles Extension Input
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT=IECUserRoles Extension Input
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES=User Roles
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION=Operation (Add/Delete/Change)
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_STATUS_CHANGE_SEQ=Status Change Sequence Number
#######################################################
# Self Tests
#
--
1.9.3
-------------- next part --------------
From 53f3a7c4f6d34347f6d184c3312b9945658a1478 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 14 Aug 2014 01:50:11 -0400
Subject: [PATCH] Add IECUserRolesExtDefault profile default
---
base/ca/shared/conf/registry.cfg | 5 +-
.../cms/profile/def/IECUserRolesExtDefault.java | 94 ++++++++++++++++++++++
2 files changed, 98 insertions(+), 1 deletion(-)
create mode 100644 base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
index c4e3ab86b453bec8964d62b3fbdbac14b40f6105..d355d0252651cc538e482aebc9bfec17134f7566 100644
--- a/base/ca/shared/conf/registry.cfg
+++ b/base/ca/shared/conf/registry.cfg
@@ -42,7 +42,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr
constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint
constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint
constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
-defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl
+defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,iecUserRolesExtDefaultImpl
defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault
defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default
defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default
@@ -160,6 +160,9 @@ defaultPolicy.subjectDirAttributesExtDefaultImpl.name=Subject Directory Attribut
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.class=com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.desc=Inhibit Any-Policy Extension Default
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.name=Inhibit Any-Policy Extension Default
+defaultPolicy.iecUserRolesExtDefaultImpl.class=com.netscape.cms.profile.def.IECUserRolesExtDefault
+defaultPolicy.iecUserRolesExtDefaultImpl.desc=IECUserRoles Extension Default
+defaultPolicy.iecUserRolesExtDefaultImpl.name=IECUserRoles Extension Default
profile.ids=caEnrollImpl,caCACertEnrollImpl,caServerCertEnrollImpl,caUserCertEnrollImpl
profile.caEnrollImpl.class=com.netscape.cms.profile.common.CAEnrollProfile
profile.caEnrollImpl.desc=Certificate Authority Generic Certificate Enrollment Profile
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
new file mode 100644
index 0000000000000000000000000000000000000000..34c4f902cab39470f0cbc9ebaa4845f347abaae8
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
@@ -0,0 +1,94 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.security.extensions.IECUserRolesExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates IECUserRoles extension
+ * into the certificate template.
+ *
+ * @version $Revision$, $Date$
+ */
+public class IECUserRolesExtDefault extends EnrollExtDefault {
+
+ public IDescriptor getConfigDescriptor(Locale locale, String name) {
+ return null;
+ }
+
+ public IDescriptor getValueDescriptor(Locale locale, String name) {
+ return null;
+ }
+
+ public void setValue(String name, Locale locale,
+ X509CertInfo info, String value)
+ throws EPropertyException {
+ }
+
+ public String getValue(String name, Locale locale,
+ X509CertInfo info)
+ throws EPropertyException {
+ return null;
+ }
+
+ public String getText(Locale locale) {
+ return "IECUserRolesExtDefault";
+ //return CMS.getUserMessage(locale,
+ //"CMS_PROFILE_DEF_EXTENDED_KEY_EXT", params);
+ }
+
+ /**
+ * Populates the request with this policy default.
+ */
+ public void populate(IRequest request, X509CertInfo info)
+ throws EProfileException {
+ CMS.debug("START IEC DEFAULT POPULATE");
+ CertificateExtensions exts =
+ request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
+ if (exts == null) {
+ throw new EProfileException("extensions not found");
+ }
+ IECUserRolesExtension ext = null;
+ try {
+ ext = (IECUserRolesExtension) exts.get(IECUserRolesExtension.OID);
+ } catch (IOException e) {
+ throw new EProfileException("failed to get IECUserRoles extension");
+ }
+
+ addExtension(IECUserRolesExtension.OID, ext, info);
+ CMS.debug("DONE IEC DEFAULT POPULATE");
+ }
+}
--
1.9.3
-------------- next part --------------
From 0b0b9e89bd2203f94789410407a6fb9c32cad8ca Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 14 Aug 2014 02:05:47 -0400
Subject: [PATCH] Add DNP3 ID certificate profile
---
base/ca/shared/conf/CS.cfg.in | 4 +-
base/ca/shared/profiles/ca/caDnp3IdCert.cfg | 59 +++++++++++++++++++++++++++++
2 files changed, 62 insertions(+), 1 deletion(-)
create mode 100644 base/ca/shared/profiles/ca/caDnp3IdCert.cfg
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 4ab8974e6340d81d23bb7f5ea05a07b0936b6463..28e626b3a5c03441dca3529fa3f38da978ec5dc5 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -961,7 +961,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
os.userid=nobody
-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment,caDnp3IdCert
profile.caUUIDdeviceCert.class_id=caEnrollImpl
profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
profile.caManualRenewal.class_id=caEnrollImpl
@@ -1080,6 +1080,8 @@ profile.caEncUserCert.class_id=caEnrollImpl
profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncUserCert.cfg
profile.caEncECUserCert.class_id=caEnrollImpl
profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncECUserCert.cfg
+profile.caDnp3IdCert.class_id=caEnrollImpl
+profile.caDnp3IdCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDnp3IdCert.cfg
registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/registry.cfg
processor.caProfileProcess.getClientCert=true
processor.caProfileProcess.authzMgr=BasicAclAuthz
diff --git a/base/ca/shared/profiles/ca/caDnp3IdCert.cfg b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..111b01187af17b2a9c92b627dc0ca28edc0f75f9
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
@@ -0,0 +1,59 @@
+desc=Profile for enrolling DNP3 ID certificates
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=DNP3 ID certificate enrollment
+input.list=i1,i2,i3,i4
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=subjectDNInputImpl
+input.i3.class_id=iecUserRolesExtInputImpl
+input.i4.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7
+policyset.serverCertSet.1.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.1.constraint.name=No Constraint
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.6.constraint.name=No Constraint
+policyset.serverCertSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.6.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.6.default.name=Signing Alg
+policyset.serverCertSet.6.default.params.signingAlg=-
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=iecUserRolesExtDefaultImpl
+policyset.serverCertSet.7.default.name=IEC User Roles Extension Default
--
1.9.3
More information about the Pki-devel
mailing list