[Pki-devel] [PATCH] 0010..0013 v3 DNP3/IECUserRoles extension support

Fraser Tweedale ftweedal at redhat.com
Wed Sep 17 06:53:34 UTC 2014


On Mon, Sep 08, 2014 at 04:00:16PM -0700, Christina Fu wrote:
> Hi Fraser,
> 
> My apology for getting back to you this late due to Dogtag release.
> (I think there may be a major issue there, so you might want to jump to the
> "hmmm" part first)
> 
> General:
> * It would help if in the review request email, you could put a link to the
> spec you are coding against.  I had to search around and every place I
> looked it requires me to sign in or purchase.
> 
> IECUserRolesExtension.java
> * It would help if you could put the relevant ASN1 in the extension code
> IECUserRolesExtension.java
> * the getName() method returns the OID string instead of the conventional
> name of the class
> * by convention, other existing extension classes use the JAVA class Boolean
> instead of the native boolean for criticality.  Please try to stick to it.
> * hmmm... Shouldn't this extension be a "SEQUENCE of" "UserRoleInfo"?  This
> code seems to implement only the "UserRoleInfo" part.
> This would be a major problem.
> You might want to take a look of how SubjectAlternativeNameExtension.java is
> done where it is a "SEQUENCE of" GeneralName
> See: http://tools.ietf.org/html/rfc5280#section-4.2.1.6 scroll down a bit to
> see the ASN1 definition.
> Search in our code for the following:
> - SubjectAlternativeNameExtension.java
> - GeneralNames
> - GeneralName
> 
> Again, since I don't have the spec that you code against so I might be
> wrong, please supply the ASN1 spec to this extension before I continue.
> 
> I think I will stop here and let you work on / respond to the above first as
> it seems like a deal breaker if I was right.
> 
> regards,
> Christina

Above issues have been addressed; new patches attached.

Fraser

> 
> 
> 
> 
> On 08/18/2014 12:03 AM, Fraser Tweedale wrote:
> >On Thu, Aug 14, 2014 at 04:26:59PM +1000, Fraser Tweedale wrote:
> >>On Thu, Aug 14, 2014 at 04:21:57PM +1000, Fraser Tweedale wrote:
> >>>Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
> >>>extension support and a DNP3 profile that makes use of it.  This is
> >>>to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
> >>>Authentication v5 (SAv5) standard.
> >>>
> >>>In brief, the SN and all the IECUserRoles params will be given in
> >>>profile inputs, and the key is taken from a CertReqInput.
> >>>
> >>>There's still a bit of work to go - notably, some of the
> >>>IECUserRoles fields are unimplemented, and some of those that *are*
> >>>implemented are not yet read out of the profile input but rather are
> >>>hardcoded.  The extension *does* appear on the certificate, so I
> >>>should get that all completed tomorrow.
> >>>
> >>>Cheers,
> >>>
> >>>Fraser
> >>>
> >These patches have been completed and are ready for review.  New
> >versions are attached.
> >
> >
> >_______________________________________________
> >Pki-devel mailing list
> >Pki-devel at redhat.com
> >https://www.redhat.com/mailman/listinfo/pki-devel
> 

> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
>From 5084610dfd9b25f97fce5b172fa47a7abdf324aa Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 11 Aug 2014 03:10:04 -0400
Subject: [PATCH 10/13] Add IECUserRolesExtension class

---
 .../security/extensions/IECUserRolesExtension.java | 271 +++++++++++++++++++++
 1 file changed, 271 insertions(+)
 create mode 100644 base/util/src/netscape/security/extensions/IECUserRolesExtension.java

diff --git a/base/util/src/netscape/security/extensions/IECUserRolesExtension.java b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
new file mode 100644
index 0000000000000000000000000000000000000000..330a670af0bcd81ac437c87475c2222c20886576
--- /dev/null
+++ b/base/util/src/netscape/security/extensions/IECUserRolesExtension.java
@@ -0,0 +1,271 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package netscape.security.extensions;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.math.BigInteger;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Vector;
+
+import netscape.security.util.BigInt;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CertAttrSet;
+import netscape.security.x509.Extension;
+import netscape.security.x509.OIDMap;
+
+/**
+ * This represents the IEC 62351-8 IECUserRoles extension.
+ *
+ * ASN.1:
+ *
+ * id-IEC62351 OBJECT_IDENTIFIER ::= { 1 2 840 10070 }
+ *
+ * id-IECuserRoles OBJECT_IDENTIFIER ::= id-IEC62351 { 8 1 }
+ *
+ * IECUserRoles ::= SEQUENCE OF UserRoleInfo
+ *
+ * UserRoleInfo ::= SEQUENCE { -- contains the role information blob
+ *   -- IEC62351 specific parameter
+ *   userRole                   SEQUENCE SIZE (1..MAX) OF RoleID
+ *   aor                        UTF8String (SIZE(1..64)),
+ *   revision                   INTEGER (0..255),
+ *   roleDefinition             UTF8String (0..23) OPTIONAL,
+ *   -- optional fields to be used within IEEE 1815 and IEC60870-5
+ *   operation                  Operation OPTIONAL,
+ *   statusChangeSequenceNumber INTEGER (0..4 294 967 295) OPTIONAL,
+ *   }
+ *
+ * RoleId ::= INTEGER (-32 768..32 767)
+ *
+ * Operation ::= ENUMERATED { Add (1), Delete (2), Change (3) }
+ *
+ */
+public class IECUserRolesExtension extends Extension implements CertAttrSet {
+    private static final long serialVersionUID = 172340873242193489L;
+
+    public static final String OID = "1.2.840.10070.8.1";
+    public static final String NAME = "IECUserRoles";
+    public enum Operation { ADD, DELETE, CHANGE };
+    public static final BigInteger MAX_STATUS_CHANGE_SEQNO =
+        new BigInteger("4294967295");
+
+    public Vector<UserRoleInfo> iecUserRoles;
+
+    static {
+        try {
+            OIDMap.addAttribute(IECUserRolesExtension.class.getName(),
+                OID, IECUserRolesExtension.class.getName());
+        } catch (CertificateException e) {
+        }
+    }
+
+    public IECUserRolesExtension(
+        boolean crit,
+        Vector<UserRoleInfo> iecUserRoles
+    ) throws CertificateException {
+        try {
+            extensionId = ObjectIdentifier.getObjectIdentifier(OID);
+        } catch (IOException e) {
+            // never here
+        }
+
+        critical = crit;
+        this.iecUserRoles = iecUserRoles;
+    }
+
+    public IECUserRolesExtension(Boolean crit, Object byteVal)
+            throws IOException {
+        extensionId = ObjectIdentifier.getObjectIdentifier(OID);
+        critical = crit.booleanValue();
+        extensionValue = ((byte[]) byteVal).clone();
+    }
+
+    @Override
+    public String toString() {
+        String presentation = "oid=" + OID + " ";
+
+        if (critical) {
+            presentation += "critical=true";
+        }
+        if (extensionValue != null) {
+            StringBuffer extByteValue = new StringBuffer(" val=");
+            for (int i = 0; i < extensionValue.length; i++) {
+                extByteValue.append(extensionValue[i] + " ");
+            }
+            presentation += extByteValue.toString();
+        }
+        return presentation;
+    }
+
+    public void decode(InputStream in)
+            throws CertificateException, IOException {
+    }
+
+    public void encode(DerOutputStream out) throws IOException {
+        encodeExtValue();
+        super.encode(out);
+    }
+
+    public void encode(OutputStream out)
+            throws CertificateException, IOException {
+        DerOutputStream temp = new DerOutputStream();
+        encode(temp);
+        out.write(temp.toByteArray());
+    }
+
+    public void set(String name, Object obj)
+            throws CertificateException, IOException {
+        // NOT USED
+    }
+
+    public Object get(String name) throws CertificateException, IOException {
+        // NOT USED
+        return null;
+    }
+
+    public Enumeration<String> getAttributeNames() {
+        return null;
+    }
+
+    public String getName() {
+        return NAME;
+    }
+
+    public void delete(String name)
+            throws CertificateException, IOException {
+        // NOT USED
+    }
+
+    private void encodeExtValue() throws IOException {
+        if (extensionValue != null)
+            return;
+
+        // write IECUserRoles SEQUENCE OF UserRoleInfo
+        DerOutputStream outIECUserRoles = new DerOutputStream();
+        for (UserRoleInfo userRoleInfo : iecUserRoles) {
+            userRoleInfo.encode(outIECUserRoles);
+        }
+
+        DerOutputStream out = new DerOutputStream();
+        out.write(DerValue.tag_Sequence, outIECUserRoles);
+        extensionValue = out.toByteArray();
+    }
+
+    public static class UserRoleInfo {
+        private Vector<Integer> userRole;
+        private String aor;
+        private int revision;
+        private String roleDefinition;
+        private Operation operation;
+        private BigInteger statusChangeSequenceNumber;
+
+        public UserRoleInfo(
+            Vector<Integer> userRole,
+            String aor,
+            int revision,
+            String roleDefinition,
+            Operation operation,
+            BigInteger statusChangeSequenceNumber
+        ) throws CertificateException {
+            // userRole SEQUENCE SIZE (1..MAX) OF RoleID
+            // RoleId ::= INTEGER (-32 768..32 767)
+            if (userRole == null)
+                throw new CertificateException("userRole cannot be null");
+            if (userRole.size() < 1)
+                throw new CertificateException("userRole must have at least one element");
+            for (int roleId : userRole) {
+                if (roleId < -32768 || roleId > 32767)
+                    throw new CertificateException("RoleId must be in range (-32 768..32 767)");
+            }
+            this.userRole = userRole;
+
+            // aor (area of responsibility) UTF8String (SIZE(1..64))
+            if (aor == null)
+                throw new CertificateException("aor cannot be null");
+            if (aor.isEmpty() || aor.length() > 64)
+                throw new CertificateException("aor must be of SIZE(1..64)");
+            this.aor = aor;
+
+            // revision INTEGER (0..255)
+            if (revision < 0 || revision > 255)
+                throw new CertificateException("revision must be in range (0..255)");
+            this.revision = revision;
+
+            // roleDefinition UTF8String (0..23) OPTIONAL
+            if (roleDefinition != null && roleDefinition.length() > 23)
+                throw new CertificateException("roleDefinition must be of SIZE(0..23)");
+            this.roleDefinition = roleDefinition;
+
+            // operation Operation OPTIONAL
+            // Operation ::= ENUMERATED { Add (1), Delete (2), Change (3) }
+            this.operation = operation;
+
+            // statusChangeSequenceNumber INTEGER (0..4 294 967 295) OPTIONAL
+            if (statusChangeSequenceNumber != null && (
+                    statusChangeSequenceNumber.compareTo(BigInteger.ZERO) < 0
+                    || statusChangeSequenceNumber.compareTo(MAX_STATUS_CHANGE_SEQNO) > 1))
+                throw new CertificateException(
+                    "statusChangeSequenceNumber must be in range (0..4 294 967 295)");
+            this.statusChangeSequenceNumber = statusChangeSequenceNumber;
+        }
+
+        public void encode(DerOutputStream out) throws IOException {
+            DerOutputStream outUserRoleInfo = new DerOutputStream();
+
+            DerOutputStream outRoles = new DerOutputStream();
+            for (int role : userRole) {
+                outRoles.putInteger(new BigInt(role));
+            }
+            outUserRoleInfo.write(DerValue.tag_Sequence, outRoles);
+
+            outUserRoleInfo.putUTF8String(aor);
+
+            outUserRoleInfo.putInteger(new BigInt(revision));
+
+            if (roleDefinition != null)
+                outUserRoleInfo.putUTF8String(roleDefinition);
+
+            if (operation != null) {
+                int op = 0;
+                switch (operation) {
+                case ADD:
+                    op = 1;
+                    break;
+                case DELETE:
+                    op = 2;
+                    break;
+                case CHANGE:
+                    op = 3;
+                    break;
+                }
+                outUserRoleInfo.putEnumerated(op);
+            }
+
+            if (statusChangeSequenceNumber != null)
+                outUserRoleInfo.putInteger(new BigInt(statusChangeSequenceNumber));
+
+            // write UserRoleInfo SEQUENCE (of the above information)
+            out.write(DerValue.tag_Sequence, outUserRoleInfo);
+        }
+    }
+}
-- 
1.9.3

-------------- next part --------------
>From 0e4aad5657aa0d5bde4af16ad828f56940293179 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 12 Aug 2014 04:08:30 -0400
Subject: [PATCH 11/13] Add IECUserRolesExtInput profile input

---
 base/ca/shared/conf/registry.cfg                   |   5 +-
 .../cms/profile/input/IECUserRolesExtInput.java    | 208 +++++++++++++++++++++
 base/server/cmsbundle/src/UserMessages.properties  |   8 +
 3 files changed, 220 insertions(+), 1 deletion(-)
 create mode 100644 base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java

diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
index 9cd4e6d5c89b6e9bd0323fd3fd272b4af1de9568..c4e3ab86b453bec8964d62b3fbdbac14b40f6105 100644
--- a/base/ca/shared/conf/registry.cfg
+++ b/base/ca/shared/conf/registry.cfg
@@ -173,7 +173,7 @@ profile.caServerCertEnrollImpl.name=Server Certificate Enrollment Profile
 profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile
 profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment Profile
 profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile
-profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl
+profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl,iecUserRolesExtInputImpl
 profileInput.subjectAltNameExtInputImpl.class=com.netscape.cms.profile.input.SubjectAltNameExtInput
 profileInput.subjectAltNameExtInputImpl.desc=SAN Input
 profileInput.subjectAltNameExtInputImpl.name=SAN Input
@@ -222,6 +222,9 @@ profileInput.subjectDNInputImpl.name=Subject DN Input
 profileInput.subjectNameInputImpl.class=com.netscape.cms.profile.input.SubjectNameInput
 profileInput.subjectNameInputImpl.desc=Subject Name Input
 profileInput.subjectNameInputImpl.name=Subject Name Input
+profileInput.iecUserRolesExtInputImpl.class=com.netscape.cms.profile.input.IECUserRolesExtInput
+profileInput.iecUserRolesExtInputImpl.desc=IECUserRoles Extension Input
+profileInput.iecUserRolesExtInputImpl.name=IECUserRoles Extension Input
 profileOutput.ids=certOutputImpl,cmmfOutputImpl,pkcs7OutputImpl,nsNKeyOutputImpl
 profileOutput.certOutputImpl.class=com.netscape.cms.profile.output.CertOutput
 profileOutput.certOutputImpl.desc=Certificate Output
diff --git a/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
new file mode 100644
index 0000000000000000000000000000000000000000..79acebfc0a8289ff7f7a208d0c2a95690fb9171e
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/input/IECUserRolesExtInput.java
@@ -0,0 +1,208 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.profile.input;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.CertificateException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.Vector;
+
+import netscape.security.extensions.IECUserRolesExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileContext;
+import com.netscape.certsrv.profile.IProfileInput;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+
+/**
+ * This plugin accepts IEC 62351-8 IECUserRoles extension data from user.
+ *
+ * Only a single UserRoleInfo object is accepted.  The
+ * IECUserRolesExtension implementation does support multiple
+ * UserRoleInfo objects, but additional work is required in this
+ * Input to make it possible to use more than one.
+ */
+public class IECUserRolesExtInput extends EnrollInput implements IProfileInput {
+    public static final String CONFIG_ROLE_DEFINITION = "role_definition";
+    public static final String CONFIG_OPERATION_REQUIRED = "operation_required";
+
+    public static final String VAL_USER_ROLES = "userRole";
+    public static final String VAL_AOR = "aor";
+    public static final String VAL_REVISION = "revision";
+    public static final String VAL_OPERATION = "operation";
+
+    public IECUserRolesExtInput() {
+        addConfigName(CONFIG_ROLE_DEFINITION);
+        addConfigName(CONFIG_OPERATION_REQUIRED);
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT");
+    }
+
+    public void populate(IProfileContext ctx, IRequest request)
+            throws EProfileException {
+
+        Vector<Integer> userRole = new Vector<Integer>();
+        String userRoleString = ctx.get(VAL_USER_ROLES);
+        StringTokenizer tok = new StringTokenizer(userRoleString, ",");
+        while (tok.hasMoreTokens()) {
+            try {
+                userRole.add(new Integer(tok.nextToken()));
+            } catch (NumberFormatException e) {
+                throw new EProfileException("RoleIDs must be integers");
+            }
+        }
+
+        String aor = ctx.get(VAL_AOR);
+
+        String revisionString = ctx.get(VAL_REVISION);
+        int revision = -1;
+        try {
+            revision = Integer.parseInt(revisionString);
+        } catch (NumberFormatException e) {
+            throw new EProfileException("revision must be an integer");
+        }
+
+        String roleDefinition = getConfig(CONFIG_ROLE_DEFINITION);
+
+        IECUserRolesExtension.Operation operation = null;
+        String operationString = ctx.get(VAL_OPERATION).trim();
+        if (operationString.equals("1")
+                || operationString.equalsIgnoreCase("ADD")) {
+            operation = IECUserRolesExtension.Operation.ADD;
+        } else if (operationString.equals("2")
+                || operationString.equalsIgnoreCase("DELETE")) {
+            operation = IECUserRolesExtension.Operation.DELETE;
+        } else if (operationString.equals("3")
+                || operationString.equalsIgnoreCase("CHANGE")) {
+            operation = IECUserRolesExtension.Operation.CHANGE;
+        }
+        String operationRequired = getConfig(CONFIG_OPERATION_REQUIRED);
+        if (operationRequired != null
+                && operationRequired.equalsIgnoreCase("true")
+                && operation == null) {
+            throw new EProfileException("operation is required");
+        }
+
+        // IEEE 1815-2012: "Optional if the authority can guarantee
+        // Certificate.tbsCertificate.serialNumber will always
+        // increase for this user.
+        //
+        BigInteger statusChangeSequenceNumber = null;
+
+        // create extension
+        IECUserRolesExtension ext;
+        try {
+            IECUserRolesExtension.UserRoleInfo userRoleInfo =
+                new IECUserRolesExtension.UserRoleInfo(
+                    userRole, aor, revision, roleDefinition,
+                    operation, statusChangeSequenceNumber
+                );
+            Vector<IECUserRolesExtension.UserRoleInfo> iecUserRoles = new Vector();
+            iecUserRoles.add(userRoleInfo);
+            ext = new IECUserRolesExtension(false, iecUserRoles);
+        } catch (CertificateException e) {
+            throw new EProfileException(
+                "failed to construct IECUserRoles extension: " + e.toString());
+        }
+
+        CertificateExtensions exts =
+            request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
+        if (exts == null) {
+            throw new EProfileException("extensions not found");
+        }
+        try {
+            exts.set(IECUserRolesExtension.NAME, ext);
+        } catch (IOException e) {
+            CMS.debug("IECUserRolesExtInput: " + e.toString());
+            throw new EProfileException("failed to set IECUserRoles extension");
+        }
+
+        request.setExtData(EnrollProfile.REQUEST_EXTENSIONS, exts);
+    }
+
+    /**
+     * Return value names
+     */
+    public Enumeration<String> getValueNames() {
+        Vector<String> v = new Vector<String>();
+        v.addElement(VAL_USER_ROLES);
+        v.addElement(VAL_AOR);
+        v.addElement(VAL_REVISION);
+        v.addElement(VAL_OPERATION);
+        return v.elements();
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_ROLE_DEFINITION)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_ROLE_DEFINITION"));
+        } else if (name.equals(CONFIG_OPERATION_REQUIRED)) {
+            return new Descriptor(IDescriptor.BOOLEAN, null, "false",
+                CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION_REQUIRED"));
+        } else {
+            return null;
+        }
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_USER_ROLES)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES"));
+        } else if (name.equals(VAL_AOR)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_AOR"));
+        } else if (name.equals(VAL_REVISION)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_REVISION"));
+        } else if (name.equals(VAL_OPERATION)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION"));
+        }
+        return null;
+    }
+}
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
index fe43094e6b2a0531502570bc626da557fc9061ae..194dfb4e6146f118d75324d35067fd78a5549d1a 100644
--- a/base/server/cmsbundle/src/UserMessages.properties
+++ b/base/server/cmsbundle/src/UserMessages.properties
@@ -1074,6 +1074,14 @@ CMS_PROFILE_OUTPUT_CERT_B64=Certificate Base-64 Encoded
 CMS_PROFILE_OUTPUT_CMMF_B64=CMMF Base-64 Encoded
 CMS_PROFILE_OUTPUT_PKCS7_B64=PKCS #7 Base-64 Encoded
 CMS_PROFILE_OUTPUT_DER_B64=DER Base 64 Encoded
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_NAME=IECUserRoles Extension Input
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_TEXT=IECUserRoles Extension Input
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_USER_ROLES=User Roles
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_AOR=Area of Responsibility (AOR)
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_REVISION=Revision number
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_ROLE_DEFINITION=Role Definition
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION=Operation (Add/Delete/Change)
+CMS_PROFILE_INPUT_IEC_USER_ROLES_EXT_OPERATION_REQUIRED=Require Operation Value
 #######################################################
 # Self Tests
 #
-- 
1.9.3

-------------- next part --------------
From bff36192d399fcee04afea61b74fa280e07af6b2 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 14 Aug 2014 01:50:11 -0400
Subject: [PATCH 12/13] Add IECUserRolesExtDefault profile default

---
 base/ca/shared/conf/registry.cfg                   |  5 +-
 .../cms/profile/def/IECUserRolesExtDefault.java    | 94 ++++++++++++++++++++++
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java

diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
index c4e3ab86b453bec8964d62b3fbdbac14b40f6105..d355d0252651cc538e482aebc9bfec17134f7566 100644
--- a/base/ca/shared/conf/registry.cfg
+++ b/base/ca/shared/conf/registry.cfg
@@ -42,7 +42,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr
 constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint
 constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint
 constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
-defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl
+defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,iecUserRolesExtDefaultImpl
 defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault
 defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default
 defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default
@@ -160,6 +160,9 @@ defaultPolicy.subjectDirAttributesExtDefaultImpl.name=Subject Directory Attribut
 defaultPolicy.inhibitAnyPolicyExtDefaultImpl.class=com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
 defaultPolicy.inhibitAnyPolicyExtDefaultImpl.desc=Inhibit Any-Policy Extension Default
 defaultPolicy.inhibitAnyPolicyExtDefaultImpl.name=Inhibit Any-Policy Extension Default
+defaultPolicy.iecUserRolesExtDefaultImpl.class=com.netscape.cms.profile.def.IECUserRolesExtDefault
+defaultPolicy.iecUserRolesExtDefaultImpl.desc=IECUserRoles Extension Default
+defaultPolicy.iecUserRolesExtDefaultImpl.name=IECUserRoles Extension Default
 profile.ids=caEnrollImpl,caCACertEnrollImpl,caServerCertEnrollImpl,caUserCertEnrollImpl
 profile.caEnrollImpl.class=com.netscape.cms.profile.common.CAEnrollProfile
 profile.caEnrollImpl.desc=Certificate Authority Generic Certificate Enrollment Profile
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
new file mode 100644
index 0000000000000000000000000000000000000000..aaf539b3ae8ae71d22cbddac25c63a578a0c1a2b
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/def/IECUserRolesExtDefault.java
@@ -0,0 +1,94 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2014 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import netscape.security.extensions.IECUserRolesExtension;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertInfo;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.common.EnrollProfile;
+
+/**
+ * This class implements an enrollment default policy
+ * that populates IECUserRoles extension
+ * into the certificate template.
+ *
+ * @version $Revision$, $Date$
+ */
+public class IECUserRolesExtDefault extends EnrollExtDefault {
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void setValue(String name, Locale locale,
+            X509CertInfo info, String value)
+            throws EPropertyException {
+    }
+
+    public String getValue(String name, Locale locale,
+            X509CertInfo info)
+            throws EPropertyException {
+        return null;
+    }
+
+    public String getText(Locale locale) {
+        return "IECUserRolesExtDefault";
+        //return CMS.getUserMessage(locale,
+                //"CMS_PROFILE_DEF_EXTENDED_KEY_EXT", params);
+    }
+
+    /**
+     * Populates the request with this policy default.
+     */
+    public void populate(IRequest request, X509CertInfo info)
+            throws EProfileException {
+        CMS.debug("START IEC DEFAULT POPULATE");
+        CertificateExtensions exts =
+            request.getExtDataInCertExts(EnrollProfile.REQUEST_EXTENSIONS);
+        if (exts == null) {
+            throw new EProfileException("extensions not found");
+        }
+        IECUserRolesExtension ext = null;
+        try {
+            ext = (IECUserRolesExtension) exts.get(IECUserRolesExtension.NAME);
+        } catch (IOException e) {
+            throw new EProfileException("failed to get IECUserRoles extension");
+        }
+
+        addExtension(IECUserRolesExtension.OID, ext, info);
+        CMS.debug("DONE IEC DEFAULT POPULATE");
+    }
+}
-- 
1.9.3

-------------- next part --------------
From 92229b6b7997bbd5495f8de76de539e83c720601 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 14 Aug 2014 02:05:47 -0400
Subject: [PATCH 13/13] Add DNP3 ID certificate profile

---
 base/ca/shared/conf/CS.cfg.in               |  4 +-
 base/ca/shared/profiles/ca/caDnp3IdCert.cfg | 61 +++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 base/ca/shared/profiles/ca/caDnp3IdCert.cfg

diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 4ab8974e6340d81d23bb7f5ea05a07b0936b6463..28e626b3a5c03441dca3529fa3f38da978ec5dc5 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -961,7 +961,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment,caDnp3IdCert
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
 profile.caManualRenewal.class_id=caEnrollImpl
@@ -1080,6 +1080,8 @@ profile.caEncUserCert.class_id=caEnrollImpl
 profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncUserCert.cfg
 profile.caEncECUserCert.class_id=caEnrollImpl
 profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncECUserCert.cfg
+profile.caDnp3IdCert.class_id=caEnrollImpl
+profile.caDnp3IdCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDnp3IdCert.cfg
 registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/registry.cfg
 processor.caProfileProcess.getClientCert=true
 processor.caProfileProcess.authzMgr=BasicAclAuthz
diff --git a/base/ca/shared/profiles/ca/caDnp3IdCert.cfg b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..c17ca805121abcd346c88089388c360401b0cdf9
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caDnp3IdCert.cfg
@@ -0,0 +1,61 @@
+desc=Profile for enrolling DNP3 ID certificates
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=DNP3 ID certificate enrollment
+input.list=i1,i2,i3,i4
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=subjectDNInputImpl
+input.i3.class_id=iecUserRolesExtInputImpl
+input.i3.params.role_definition=IEC62351-8
+input.i3.params.operation_required=true
+input.i4.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7
+policyset.serverCertSet.1.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.1.constraint.name=No Constraint
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.6.constraint.name=No Constraint
+policyset.serverCertSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.6.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.6.default.name=Signing Alg
+policyset.serverCertSet.6.default.params.signingAlg=-
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=iecUserRolesExtDefaultImpl
+policyset.serverCertSet.7.default.name=IEC User Roles Extension Default
-- 
1.9.3



More information about the Pki-devel mailing list