CRLIP: omit certs not issued by associated CA

Lightweight CAs mean that a single database can include certificates
from many issuers.  Update CRLIssuingPoint to only include
certificates issued by its associated CA.

For backwards compatibility, if the associated CA is the host CA,
certificate records with missing 'issuerName' attribute are also
included.

Fixes: https://fedorahosted.org/pki/ticket/1626

1 files changed, 14 insertions, 4 deletions

diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
index fe230e937..f6eaf7287 100644
--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
@@ -1868,11 +1868,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
             filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + ")";
         }
 
+        String issuerFilter =
+            "(" + CertRecord.ATTR_X509CERT_ISSUER
+            + "=" + mCA.getX500Name().toString() + ")";
+        // host authority may be absent issuer attribute
+        if (mCA.isHostAuthority()) {
+            issuerFilter =
+                "(|"
+                + "(!(" + CertRecord.ATTR_X509CERT_ISSUER + "=*))"
+                + issuerFilter
+                + ")";
+        }
+        filter += issuerFilter;
+
         // get all revoked non-expired certs.
-        if (mEndSerial != null || mBeginSerial != null || mCACertsOnly ||
-                (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0)) {
-            filter = "(&" + filter + ")";
-        }
+        filter = "(&" + filter + ")";
 
         return filter;
     }