From f8aecf21ac13430d62aaac29191f809e2ab57c22 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 18 Oct 2023 11:01:28 -0500 Subject: [PATCH] Add cert validity options/params for CLI and ACME The pki nss-cert-issue command and the NSSIssuer in ACME have been modified to provide options/params to specify the cert validity in different units (e.g. minutes) which could be useful for testing and end-users as well. The old option/param is limited to months only so it has been deprecated. --- .github/workflows/ca-container-test.yml | 3 +- .../org/dogtagpki/acme/issuer/NSSIssuer.java | 29 +++++++-- base/ca/bin/pki-ca-run | 3 +- .../java/org/dogtagpki/nss/NSSDatabase.java | 61 +++++++++++++++++-- base/server/bin/pki-server-run | 3 +- .../cmstools/nss/NSSCertIssueCLI.java | 31 +++++++++- docs/changes/v11.5.0/Server-Changes.adoc | 10 ++- docs/changes/v11.5.0/Tools-Changes.adoc | 8 +++ 8 files changed, 131 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ca-container-test.yml b/.github/workflows/ca-container-test.yml index c3f28dc1ddf..2fdbaf68960 100644 --- a/.github/workflows/ca-container-test.yml +++ b/.github/workflows/ca-container-test.yml @@ -48,7 +48,8 @@ jobs: nss-cert-issue \ --csr ca_signing.csr \ --ext /usr/share/pki/server/certs/ca_signing.conf \ - --months-valid 12 \ + --validity-length 1 \ + --validity-unit year \ --cert ca_signing.crt docker exec client pki \ nss-cert-import \ diff --git a/base/acme/src/main/java/org/dogtagpki/acme/issuer/NSSIssuer.java b/base/acme/src/main/java/org/dogtagpki/acme/issuer/NSSIssuer.java index 7cfd8c5497b..5936e5146fe 100644 --- a/base/acme/src/main/java/org/dogtagpki/acme/issuer/NSSIssuer.java +++ b/base/acme/src/main/java/org/dogtagpki/acme/issuer/NSSIssuer.java @@ -11,6 +11,7 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.security.cert.X509Certificate; +import java.util.Calendar; import java.util.Date; import org.apache.commons.codec.binary.Base64; @@ -43,7 +44,8 @@ public class NSSIssuer extends ACMEIssuer { org.mozilla.jss.crypto.X509Certificate issuer; NSSExtensionGenerator extGenerator; - Integer monthsValid; + int validityLength = 3; + int validityUnit = Calendar.MONTH; String hash; @Override @@ -78,9 +80,27 @@ public void init() throws Exception { CryptoManager cm = CryptoManager.getInstance(); issuer = cm.findCertByNickname(nickname); + // TODO: add upgrade script to replace monthsValid with validityLength and validityUnit String monthsValid = config.getParameter("monthsValid"); - this.monthsValid = monthsValid == null ? 3 : Integer.valueOf(monthsValid); - logger.info("- months valid: " + monthsValid); + if (monthsValid != null) { + logger.warn("The monthsValid parameter has been deprecated. Use validityLength and validityUnit parameters instead."); + this.validityLength = Integer.valueOf(monthsValid); + + } else { + + String validityLengthStr = config.getParameter("validityLength"); + if (validityLengthStr != null) { + validityLength = Integer.valueOf(validityLengthStr); + } + + String validityUnitStr = config.getParameter("validityUnit"); + if (validityUnitStr != null) { + validityUnit = NSSDatabase.validityUnitFromString(validityUnitStr); + } + } + + logger.info("- validity length: " + validityLength); + logger.info("- validity unit: " + NSSDatabase.validityUnitToString(validityUnit)); String hash = config.getParameter("hash"); if (hash != null) { @@ -114,7 +134,8 @@ public String issueCertificate(PKCS10 pkcs10) throws Exception { X509Certificate cert = nssDatabase.createCertificate( issuer, pkcs10, - monthsValid, + validityLength, + validityUnit, hash, extensions); diff --git a/base/ca/bin/pki-ca-run b/base/ca/bin/pki-ca-run index 1cd8244e1cf..3bcab624db8 100755 --- a/base/ca/bin/pki-ca-run +++ b/base/ca/bin/pki-ca-run @@ -52,7 +52,8 @@ then nss-cert-issue \ --csr /certs/ca_signing.csr \ --ext /usr/share/pki/server/certs/ca_signing.conf \ - --months-valid 12 \ + --validity-length 1 \ + --validity-unit year \ --cert /certs/ca_signing.crt pki \ diff --git a/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java b/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java index 7bcb0356a98..3fae10af7ab 100644 --- a/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java +++ b/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java @@ -1070,10 +1070,55 @@ public PKCS10 createPKCS10Request( extensions); } + public static int validityUnitFromString(String validityUnit) throws Exception { + + if (validityUnit.equalsIgnoreCase("year")) { + return Calendar.YEAR; + + } else if (validityUnit.equalsIgnoreCase("month")) { + return Calendar.MONTH; + + } else if (validityUnit.equalsIgnoreCase("day")) { + return Calendar.DAY_OF_YEAR; + + } else if (validityUnit.equalsIgnoreCase("hour")) { + return Calendar.HOUR_OF_DAY; + + } else if (validityUnit.equalsIgnoreCase("minute")) { + return Calendar.MINUTE; + + } else { + throw new Exception("Invalid validity unit: " + validityUnit); + } + } + + public static String validityUnitToString(int validityUnit) throws Exception { + + if (validityUnit == Calendar.YEAR) { + return "year"; + + } else if (validityUnit == Calendar.MONTH) { + return "month"; + + } else if (validityUnit == Calendar.DAY_OF_YEAR) { + return "day"; + + } else if (validityUnit == Calendar.HOUR_OF_DAY) { + return "hour"; + + } else if (validityUnit == Calendar.MINUTE) { + return "minute"; + + } else { + throw new Exception("Invalid validity unit: " + validityUnit); + } + } + public X509Certificate createCertificate( org.mozilla.jss.crypto.X509Certificate issuer, PKCS10 pkcs10, - Integer monthsValid, + int validityLength, + int validityUnit, String hash, Extensions extensions) throws Exception { @@ -1081,7 +1126,8 @@ public X509Certificate createCertificate( issuer, pkcs10, null, // serial number - monthsValid, + validityLength, + validityUnit, hash, extensions); } @@ -1090,7 +1136,8 @@ public X509Certificate createCertificate( org.mozilla.jss.crypto.X509Certificate issuer, PKCS10 pkcs10, String serialNumber, - Integer monthsValid, + int validityLength, + int validityUnit, String hash, Extensions extensions) throws Exception { @@ -1099,7 +1146,8 @@ public X509Certificate createCertificate( issuer, pkcs10, serialNumber, - monthsValid, + validityLength, + validityUnit, hash, extensions); } @@ -1109,7 +1157,8 @@ public X509Certificate createCertificate( org.mozilla.jss.crypto.X509Certificate issuer, PKCS10 pkcs10, String serialNumber, - Integer monthsValid, + int validityLength, + int validityUnit, String hash, Extensions extensions) throws Exception { @@ -1150,7 +1199,7 @@ public X509Certificate createCertificate( Date notBeforeDate = calendar.getTime(); logger.debug("NSSDatabase: - not before: " + notBeforeDate); - calendar.add(Calendar.MONTH, monthsValid); + calendar.add(validityUnit, validityLength); Date notAfterDate = calendar.getTime(); logger.debug("NSSDatabase: - not after: " + notAfterDate); diff --git a/base/server/bin/pki-server-run b/base/server/bin/pki-server-run index 8c764b4feab..3c01c6e9b19 100755 --- a/base/server/bin/pki-server-run +++ b/base/server/bin/pki-server-run @@ -68,7 +68,8 @@ then pki -d /var/lib/tomcats/pki/conf/alias nss-cert-issue \ --csr /tmp/ca_signing.csr \ --ext /usr/share/pki/server/certs/ca_signing.conf \ - --months-valid 12 \ + --validity-length 1 \ + --validity-unit year \ --cert /tmp/ca_signing.crt # import and trust CA signing cert into NSS database diff --git a/base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertIssueCLI.java b/base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertIssueCLI.java index 9e80ecaeee1..199629194d1 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertIssueCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertIssueCLI.java @@ -8,6 +8,7 @@ import java.nio.file.Files; import java.nio.file.Paths; import java.security.cert.X509Certificate; +import java.util.Calendar; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; @@ -57,10 +58,18 @@ public void createOptions() { option.setArgName("number"); options.addOption(option); - option = new Option(null, "months-valid", true, "Months valid (default is 3)"); + option = new Option(null, "months-valid", true, "DEPRECATED: Months valid"); option.setArgName("months"); options.addOption(option); + option = new Option(null, "validity-length", true, "Validity length (default: 3)"); + option.setArgName("length"); + options.addOption(option); + + option = new Option(null, "validity-unit", true, "Validity unit: minute, hour, day, month (default), year"); + option.setArgName("unit"); + options.addOption(option); + option = new Option(null, "hash", true, "Hash algorithm (default is SHA256)"); option.setArgName("hash"); options.addOption(option); @@ -82,7 +91,9 @@ public void execute(CommandLine cmd) throws Exception { String extConf = cmd.getOptionValue("ext"); String subjectAltName = cmd.getOptionValue("subjectAltName"); String serialNumber = cmd.getOptionValue("serial"); - String monthsValid = cmd.getOptionValue("months-valid", "3"); + String monthsValid = cmd.getOptionValue("months-valid"); + String validityLengthStr = cmd.getOptionValue("validity-length", "3"); + String validityUnitStr = cmd.getOptionValue("validity-unit", "month"); String hash = cmd.getOptionValue("hash", "SHA256"); if (csrFile == null) { @@ -121,6 +132,19 @@ public void execute(CommandLine cmd) throws Exception { extensions = generator.createExtensions(issuer, pkcs10); + int validityLength; + int validityUnit; + + if (monthsValid != null) { + logger.warn("The --months-valid option has been deprecated. Use --validity-length and --validity-unit instead."); + validityLength = Integer.valueOf(monthsValid); + validityUnit = Calendar.MONTH; + + } else { + validityLength = Integer.valueOf(validityLengthStr); + validityUnit = NSSDatabase.validityUnitFromString(validityUnitStr); + } + String tokenName = clientConfig.getTokenName(); X509Certificate cert = nssdb.createCertificate( @@ -128,7 +152,8 @@ public void execute(CommandLine cmd) throws Exception { issuer, pkcs10, serialNumber, - Integer.valueOf(monthsValid), + validityLength, + validityUnit, hash, extensions); diff --git a/docs/changes/v11.5.0/Server-Changes.adoc b/docs/changes/v11.5.0/Server-Changes.adoc index 71fc0cc6bbf..07a79b9527d 100644 --- a/docs/changes/v11.5.0/Server-Changes.adoc +++ b/docs/changes/v11.5.0/Server-Changes.adoc @@ -19,4 +19,12 @@ The default value is `True`. The parameters `..cert` and `..certreq` are removed from `CS.cfg` files. Certificates are retrieved from the nssdb configured and they are not stored in other places. -CSR are stored in the folder `/certs` as `.csr` and they are retrieved from this location. \ No newline at end of file +CSR are stored in the folder `/certs` as `.csr` and they are retrieved from this location. + +== New validity parameters for NSS Issuer in ACME == + +The `NSSIssuer` in ACME has been modified to provide `validityLength` +and `validityUnit` parameters to specify the certificate validity. +The default is 3 months. + +The `monthsValid` parameter has been deprecated. diff --git a/docs/changes/v11.5.0/Tools-Changes.adoc b/docs/changes/v11.5.0/Tools-Changes.adoc index 4ab0dcd0c4e..899b05119ca 100644 --- a/docs/changes/v11.5.0/Tools-Changes.adoc +++ b/docs/changes/v11.5.0/Tools-Changes.adoc @@ -20,3 +20,11 @@ Use `pki` CLI or the `curl` command instead. The `DRMTool` command is no longer available. Use `KRATool` command instead. + +== New validity options for pki nss-cert-issue CLI == + +The `pki nss-cert-issue` command has been modified to provide +`--validity-length` and `--validity-unit` options to specify +the certificate validity. The default is 3 months. + +The `--months-valid` option has been deprecated.