Add cert validity options/params for CLI and ACME

The pki nss-cert-issue command and the NSSIssuer in ACME have
been modified to provide options/params to specify the cert
validity in different units (e.g. minutes) which could be
useful for testing and end-users as well.

The old option/param is limited to months only so it has been
deprecated.

.github/workflows/ca-container-test.yml

@@ -48,7 +48,8 @@ jobs:
               nss-cert-issue \
               --csr ca_signing.csr \
               --ext /usr/share/pki/server/certs/ca_signing.conf \
-              --months-valid 12 \
+              --validity-length 1 \
+              --validity-unit year \
               --cert ca_signing.crt
           docker exec client pki \
               nss-cert-import \

base/acme/src/main/java/org/dogtagpki/acme/issuer/NSSIssuer.java

@@ -11,6 +11,7 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.cert.X509Certificate;
+import java.util.Calendar;
 import java.util.Date;
 
 import org.apache.commons.codec.binary.Base64;
@@ -43,7 +44,8 @@ public class NSSIssuer extends ACMEIssuer {
     org.mozilla.jss.crypto.X509Certificate issuer;
 
     NSSExtensionGenerator extGenerator;
-    Integer monthsValid;
+    int validityLength = 3;
+    int validityUnit = Calendar.MONTH;
     String hash;
 
     @Override
@@ -78,9 +80,27 @@ public void init() throws Exception {
         CryptoManager cm = CryptoManager.getInstance();
         issuer = cm.findCertByNickname(nickname);
 
+        // TODO: add upgrade script to replace monthsValid with validityLength and validityUnit
         String monthsValid = config.getParameter("monthsValid");
-        this.monthsValid = monthsValid == null ? 3 : Integer.valueOf(monthsValid);
-        logger.info("- months valid: " + monthsValid);
+        if (monthsValid != null) {
+            logger.warn("The monthsValid parameter has been deprecated. Use validityLength and validityUnit parameters instead.");
+            this.validityLength = Integer.valueOf(monthsValid);
+
+        } else {
+
+            String validityLengthStr = config.getParameter("validityLength");
+            if (validityLengthStr != null) {
+                validityLength = Integer.valueOf(validityLengthStr);
+            }
+
+            String validityUnitStr = config.getParameter("validityUnit");
+            if (validityUnitStr != null) {
+                validityUnit = NSSDatabase.validityUnitFromString(validityUnitStr);
+            }
+        }
+
+        logger.info("- validity length: " + validityLength);
+        logger.info("- validity unit: " + NSSDatabase.validityUnitToString(validityUnit));
 
         String hash = config.getParameter("hash");
         if (hash != null) {
@@ -114,7 +134,8 @@ public String issueCertificate(PKCS10 pkcs10) throws Exception {
         X509Certificate cert = nssDatabase.createCertificate(
                 issuer,
                 pkcs10,
-                monthsValid,
+                validityLength,
+                validityUnit,
                 hash,
                 extensions);
 

base/ca/bin/pki-ca-run

@@ -52,7 +52,8 @@ then
         nss-cert-issue \
         --csr /certs/ca_signing.csr \
         --ext /usr/share/pki/server/certs/ca_signing.conf \
-        --months-valid 12 \
+        --validity-length 1 \
+        --validity-unit year \
         --cert /certs/ca_signing.crt
 
     pki \

base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java

@@ -1070,18 +1070,64 @@ public PKCS10 createPKCS10Request(
                 extensions);
     }
 
+    public static int validityUnitFromString(String validityUnit) throws Exception {
+
+        if (validityUnit.equalsIgnoreCase("year")) {
+            return Calendar.YEAR;
+
+        } else if (validityUnit.equalsIgnoreCase("month")) {
+            return Calendar.MONTH;
+
+        } else if (validityUnit.equalsIgnoreCase("day")) {
+            return Calendar.DAY_OF_YEAR;
+
+        } else if (validityUnit.equalsIgnoreCase("hour")) {
+            return Calendar.HOUR_OF_DAY;
+
+        } else if (validityUnit.equalsIgnoreCase("minute")) {
+            return Calendar.MINUTE;
+
+        } else {
+            throw new Exception("Invalid validity unit: " + validityUnit);
+        }
+    }
+
+    public static String validityUnitToString(int validityUnit) throws Exception {
+
+        if (validityUnit == Calendar.YEAR) {
+            return "year";
+
+        } else if (validityUnit == Calendar.MONTH) {
+            return "month";
+
+        } else if (validityUnit == Calendar.DAY_OF_YEAR) {
+            return "day";
+
+        } else if (validityUnit == Calendar.HOUR_OF_DAY) {
+            return "hour";
+
+        } else if (validityUnit == Calendar.MINUTE) {
+            return "minute";
+
+        } else {
+            throw new Exception("Invalid validity unit: " + validityUnit);
+        }
+    }
+
     public X509Certificate createCertificate(
             org.mozilla.jss.crypto.X509Certificate issuer,
             PKCS10 pkcs10,
-            Integer monthsValid,
+            int validityLength,
+            int validityUnit,
             String hash,
             Extensions extensions) throws Exception {
 
         return createCertificate(
                 issuer,
                 pkcs10,
                 null, // serial number
-                monthsValid,
+                validityLength,
+                validityUnit,
                 hash,
                 extensions);
     }
@@ -1090,7 +1136,8 @@ public X509Certificate createCertificate(
             org.mozilla.jss.crypto.X509Certificate issuer,
             PKCS10 pkcs10,
             String serialNumber,
-            Integer monthsValid,
+            int validityLength,
+            int validityUnit,
             String hash,
             Extensions extensions) throws Exception {
 
@@ -1099,7 +1146,8 @@ public X509Certificate createCertificate(
                 issuer,
                 pkcs10,
                 serialNumber,
-                monthsValid,
+                validityLength,
+                validityUnit,
                 hash,
                 extensions);
     }
@@ -1109,7 +1157,8 @@ public X509Certificate createCertificate(
             org.mozilla.jss.crypto.X509Certificate issuer,
             PKCS10 pkcs10,
             String serialNumber,
-            Integer monthsValid,
+            int validityLength,
+            int validityUnit,
             String hash,
             Extensions extensions) throws Exception {
 
@@ -1150,7 +1199,7 @@ public X509Certificate createCertificate(
         Date notBeforeDate = calendar.getTime();
         logger.debug("NSSDatabase: - not before: " + notBeforeDate);
 
-        calendar.add(Calendar.MONTH, monthsValid);
+        calendar.add(validityUnit, validityLength);
         Date notAfterDate = calendar.getTime();
         logger.debug("NSSDatabase: - not after: " + notAfterDate);
 

base/server/bin/pki-server-run

@@ -68,7 +68,8 @@ then
     pki -d /var/lib/tomcats/pki/conf/alias nss-cert-issue \
         --csr /tmp/ca_signing.csr \
         --ext /usr/share/pki/server/certs/ca_signing.conf \
-        --months-valid 12 \
+        --validity-length 1 \
+        --validity-unit year \
         --cert /tmp/ca_signing.crt
 
     # import and trust CA signing cert into NSS database

base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertIssueCLI.java

@@ -8,6 +8,7 @@
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.cert.X509Certificate;
+import java.util.Calendar;
 
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
@@ -57,10 +58,18 @@ public void createOptions() {
         option.setArgName("number");
         options.addOption(option);
 
-        option = new Option(null, "months-valid", true, "Months valid (default is 3)");
+        option = new Option(null, "months-valid", true, "DEPRECATED: Months valid");
         option.setArgName("months");
         options.addOption(option);
 
+        option = new Option(null, "validity-length", true, "Validity length (default: 3)");
+        option.setArgName("length");
+        options.addOption(option);
+
+        option = new Option(null, "validity-unit", true, "Validity unit: minute, hour, day, month (default), year");
+        option.setArgName("unit");
+        options.addOption(option);
+
         option = new Option(null, "hash", true, "Hash algorithm (default is SHA256)");
         option.setArgName("hash");
         options.addOption(option);
@@ -82,7 +91,9 @@ public void execute(CommandLine cmd) throws Exception {
         String extConf = cmd.getOptionValue("ext");
         String subjectAltName = cmd.getOptionValue("subjectAltName");
         String serialNumber = cmd.getOptionValue("serial");
-        String monthsValid = cmd.getOptionValue("months-valid", "3");
+        String monthsValid = cmd.getOptionValue("months-valid");
+        String validityLengthStr = cmd.getOptionValue("validity-length", "3");
+        String validityUnitStr = cmd.getOptionValue("validity-unit", "month");
         String hash = cmd.getOptionValue("hash", "SHA256");
 
         if (csrFile == null) {
@@ -121,14 +132,28 @@ public void execute(CommandLine cmd) throws Exception {
 
         extensions = generator.createExtensions(issuer, pkcs10);
 
+        int validityLength;
+        int validityUnit;
+
+        if (monthsValid != null) {
+            logger.warn("The --months-valid option has been deprecated. Use --validity-length and --validity-unit instead.");
+            validityLength = Integer.valueOf(monthsValid);
+            validityUnit = Calendar.MONTH;
+
+        } else {
+            validityLength = Integer.valueOf(validityLengthStr);
+            validityUnit = NSSDatabase.validityUnitFromString(validityUnitStr);
+        }
+
         String tokenName = clientConfig.getTokenName();
 
         X509Certificate cert = nssdb.createCertificate(
                 tokenName,
                 issuer,
                 pkcs10,
                 serialNumber,
-                Integer.valueOf(monthsValid),
+                validityLength,
+                validityUnit,
                 hash,
                 extensions);
 

docs/changes/v11.5.0/Server-Changes.adoc

@@ -19,4 +19,12 @@ The default value is `True`.
 
 The parameters `<subsystem_name>.<cert_id>.cert` and `<subsystem_name>.<cert_id>.certreq` are removed from `CS.cfg` files.
 Certificates are retrieved from the nssdb configured and they are not stored in other places.
-CSR are stored in the folder `<instance_config>/certs` as `<cert_nickname>.csr` and they are retrieved from this location.
+CSR are stored in the folder `<instance_config>/certs` as `<cert_nickname>.csr` and they are retrieved from this location.
+
+== New validity parameters for NSS Issuer in ACME ==
+
+The `NSSIssuer` in ACME has been modified to provide `validityLength`
+and `validityUnit` parameters to specify the certificate validity.
+The default is 3 months.
+
+The `monthsValid` parameter has been deprecated.

docs/changes/v11.5.0/Tools-Changes.adoc

@@ -20,3 +20,11 @@ Use `pki` CLI or the `curl` command instead.
 
 The `DRMTool` command is no longer available.
 Use `KRATool` command instead.
+
+== New validity options for pki nss-cert-issue CLI ==
+
+The `pki nss-cert-issue` command has been modified to provide
+`--validity-length` and `--validity-unit` options to specify
+the certificate validity. The default is 3 months.
+
+The `--months-valid` option has been deprecated.