diff options
| author | Andrew Wnuk <awnuk@redhat.com> | 2012-07-09 17:38:12 -0700 |
|---|---|---|
| committer | Andrew Wnuk <awnuk@redhat.com> | 2012-07-09 17:38:12 -0700 |
| commit | 88322df4cb62f7b4e38213e141d969fb0093afa8 (patch) | |
| tree | 5f83eea0f73c0bb338b778874360339ff5328c78 | |
| parent | 60fdb857be509120b2abc470407d12b560ba5a1b (diff) | |
| download | pki-88322df4cb62f7b4e38213e141d969fb0093afa8.tar.gz pki-88322df4cb62f7b4e38213e141d969fb0093afa8.tar.xz pki-88322df4cb62f7b4e38213e141d969fb0093afa8.zip | |
CMC revocation
This patch provides verification of revocation reasons and proper handling for removeFromCRLrevocation reason.
Bug: 441354.
| -rw-r--r-- | base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java index 9ed435c07..6afc87639 100644 --- a/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +++ b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java @@ -464,6 +464,12 @@ CMS.debug("**** mFormPath = "+mFormPath); // Construct a CRL reason code extension. RevocationReason revReason = RevocationReason.fromInt(reason); + header.addIntegerValue("reasonCode", reason); + if (revReason != null) { + header.addStringValue("reason", revReason.toString()); + } else { + header.addStringValue("error", "Invalid revocation reason: "+reason); + } CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason); // Construct a CRL invalidity date extension. @@ -496,7 +502,8 @@ CMS.debug("**** mFormPath = "+mFormPath); rarg.addBigIntegerValue("serialNumber", cert.getSerialNumber(), 16); - if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { + if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) && + (revReason == null || revReason != RevocationReason.REMOVE_FROM_CRL)) { rarg.addStringValue("error", "Certificate " + cert.getSerialNumber().toString() + " is already revoked."); @@ -602,14 +609,20 @@ CMS.debug("**** mFormPath = "+mFormPath); X509CertImpl[] oldCerts = new X509CertImpl[count]; RevokedCertImpl[] revCertImpls = new RevokedCertImpl[count]; + BigInteger[] certSerialNumbers = new BigInteger[count]; for (int i = 0; i < count; i++) { oldCerts[i] = (X509CertImpl) oldCertsV.elementAt(i); revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i); + certSerialNumbers[i] = oldCerts[i].getSerialNumber(); } - IRequest revReq = - mQueue.newRequest(IRequest.REVOCATION_REQUEST); + IRequest revReq = null; + if (revReason != null && revReason == RevocationReason.REMOVE_FROM_CRL) { + revReq = mQueue.newRequest(IRequest.UNREVOCATION_REQUEST); + } else { + revReq = mQueue.newRequest(IRequest.REVOCATION_REQUEST); + } // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -622,13 +635,18 @@ CMS.debug("**** mFormPath = "+mFormPath); audit(auditMessage); - revReq.setExtData(IRequest.CERT_INFO, revCertImpls); - revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT); - revReq.setExtData(IRequest.REVOKED_REASON, reason); - revReq.setExtData(IRequest.OLD_CERTS, oldCerts); - if (comments != null) { - revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); + if (revReason != null && revReason == RevocationReason.REMOVE_FROM_CRL) { + revReq.setExtData(IRequest.REQ_TYPE, IRequest.UNREVOCATION_REQUEST); + revReq.setExtData(IRequest.OLD_SERIALS, certSerialNumbers); + } else { + revReq.setExtData(IRequest.CERT_INFO, revCertImpls); + revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); + revReq.setExtData(IRequest.REVOKED_REASON, reason); + revReq.setExtData(IRequest.OLD_CERTS, oldCerts); + if (comments != null) { + revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); + } } // change audit processing from "REQUEST" to "REQUEST_PROCESSED" |