Bug 471622
Description
Christina Fu
2008-11-14 17:55:28 UTC
Created attachment 323610 [details]
renewal feature. Phase 1.
Renewal feature phase 1 diff. New files will be attached separately.
Created attachment 323611 [details]
This allows admins to set grace period for renewal
pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
Created attachment 323612 [details]
This allows serial number profile input (decimal only)
pki/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java
Created attachment 323613 [details]
authenticaiton plugin that provides ssl client cert authenticaiton
pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java
Created attachment 323614 [details]
authorization access evaluator that checks auth token against orig cert/req (uid only)
pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java
Created attachment 323619 [details]
directory uid/pwd based renew enrollment profile
pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg
Created attachment 323621 [details]
manual renew enrollment (need to be approved by agent manually)
pki/base/ca/shared/profiles/ca/caManualRenewal.cfg
Created attachment 323623 [details]
enrollment profile that allows renew by ssl client cert (the one to be renewed)
pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg
The attachments are for the phase 1 feature implmentation of certificate renewal. The featue description: * this is only designed to reuse the keys associated with the certificate to be renewed. New keys renewal should just go through a new enrollment. * There are three default renewal profiles come with this phase 1 implementation: 1. caSSLClientSelfRenewal - ssl client authentication. The client cert is the cert that is to be renewed. This profile is only for certs that can do ssl client authentication 2. caDirUserRenewal - directory uid/pwd based authentication. This is usually to be used by certs that can not do ssl client authentication. 3. caManualRenewal - manual request (taking a serial number), and manual approval by an agent. this is usually used for server cert renewal. There are some limitations: * The first 5 certs of a self-sign CA are crafted during post-installation configuration can not be renewed currently. There were created outside of the profile framework, thus require special care. * The original profile id must exist for the renewal to be allowed. This inadvertantly allows admin to change the profile for the new renewed cert. * The grace period control is placed with the original profile. grace period containing negative values are considered no grace periods placed. * The serial number currently can only take decimal numbers * The authorization evaluator can only evaluate uid equivalence. So, if the subjectdn does not contaion uid component or the original cert request was not authenticated via uid, then we are out of luck. The authorization, however, is placed with the renewal profiles, so there is a choice to turn it off. * There may be more and will be listed when come to mind. awnuk. please review Created attachment 323672 [details]
added revocation check for cert to be renewed
adding to the list of feature description: * the ldap based and manual renewal are also useful for ssl client certs that have expired and are not allowed to do ssl client authentication. adding to the limitation list: * only two default profiles (caUserCert.cfg and caDirUserCert.cfg) get the example of grace peiord constraint. Admin should be adviced to add their own. By default, if no grace period specified, it is treated as no constraint in that respect. *profile id in request showing only the orig profileid (not the actual renew profile id) doesn't show "renew" status Created attachment 323674 [details]
phase 1, more cleanup
since Andrew has not started the review, I am sneaking in more cleanup.
(In reply to comment #12) > *profile id in request showing only the orig profileid (not the actual renew > profile id) doesn't show "renew" status The second part should read " doen'st show "renewal" for request type, instead, it shows "enrollment." This makes it not possible to search for request type. Created attachment 323955 [details]
adds "renewal" hiddle value to profile
pki/linux/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
Created attachment 323958 [details]
spec files changes
diff files for:
pki/linux/common/pki-common.spec
pki/linux/ca/pki-ca.spec
pki/linux/ca-ui/pki-ca-ui.spec
and
pki/linux/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
[cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java A pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java [cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java [cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java A pki/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java [cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java A pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java [cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java A pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java [cfu@jaw src6]$ svn add pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg A pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg [cfu@jaw src6]$ svn add pki/base/ca/shared/profiles/ca/caManualRenewal.cfg A pki/base/ca/shared/profiles/ca/caManualRenewal.cfg [cfu@jaw src6]$ svn add pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg A pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg [cfu@jaw src6]$ cd pki [cfu@jaw pki]$ svn status ? linux/linux.diff M linux/ca/pki-ca.spec ? linux/scripts/typescript.build_pki2 ? linux/scripts/typescript.build_pki3 ? linux/scripts/typescript.build_pki4 ? linux/scripts/typescript.build_pki5 ? linux/scripts/typescript.prepare_pki ? linux/scripts/typescript.build_pki M linux/common/pki-common.spec M linux/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template M linux/ca-ui/pki-ca-ui.spec M base/ca/shared/profiles/ca/caDirUserCert.cfg A base/ca/shared/profiles/ca/caDirUserRenewal.cfg A base/ca/shared/profiles/ca/caManualRenewal.cfg M base/ca/shared/profiles/ca/caUserCert.cfg A base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg M base/ca/shared/conf/CS.cfg M base/ca/shared/conf/registry.cfg M base/common/src/UserMessages_en.properties A base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java M base/common/src/com/netscape/cms/servlet/profile/ProfileSelectServlet.java M base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java M base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java M base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java M base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java A base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java A base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java M base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java A base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java M base/common/src/com/netscape/cms/profile/common/BasicProfile.java M base/common/src/com/netscape/cms/profile/common/EnrollProfile.java M base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java M base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java M base/common/src/com/netscape/certsrv/profile/IProfile.java [cfu@jaw pki]$ svn update At revision 140. [cfu@jaw pki]$ svn commit Sending base/ca/shared/conf/CS.cfg Sending base/ca/shared/conf/registry.cfg Sending base/ca/shared/profiles/ca/caDirUserCert.cfg Adding base/ca/shared/profiles/ca/caDirUserRenewal.cfg Adding base/ca/shared/profiles/ca/caManualRenewal.cfg Adding base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg Sending base/ca/shared/profiles/ca/caUserCert.cfg Sending base/common/src/UserMessages_en.properties Sending base/common/src/com/netscape/certsrv/profile/IProfile.java Adding base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java Sending base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java Sending base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java Adding base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java Sending base/common/src/com/netscape/cms/profile/common/BasicProfile.java Sending base/common/src/com/netscape/cms/profile/common/EnrollProfile.java Adding base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java Sending base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java Sending base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java Sending base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java Adding base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java Sending base/common/src/com/netscape/cms/servlet/profile/ProfileSelectServlet.java Sending base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java Sending base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java Sending linux/ca/pki-ca.spec Sending linux/ca-ui/pki-ca-ui.spec Sending linux/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template Sending linux/common/pki-common.spec Transmitting file data ........................... Committed revision 141. attachment (id=323611) attachment (id=323612) attachment (id=323613) attachment (id=323614) attachment (id=323619) attachment (id=323621) attachment (id=323623) attachment (id=323674) attachment (id=323958) +awnuk Verified. Enrollment profile framework has 3 ways of renewing., self renew by user ssl client cert, ldap based self renew and manual renewal. |