diff options
| author | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-07-27 11:43:33 -0700 |
|---|---|---|
| committer | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-07-27 14:20:28 -0700 |
| commit | 0c502a387c90d2e2d8ebe9e3edf3dfeaf1d6eba4 (patch) | |
| tree | 62e72cf687ff481eee1e421d5fc51e79a7f716e9 /base/ca/src/com/netscape | |
| parent | 39b049e2048ba440c2885f4249bedd428fd250b1 (diff) | |
| download | pki-0c502a387c90d2e2d8ebe9e3edf3dfeaf1d6eba4.tar.gz pki-0c502a387c90d2e2d8ebe9e3edf3dfeaf1d6eba4.tar.xz pki-0c502a387c90d2e2d8ebe9e3edf3dfeaf1d6eba4.zip | |
Make starting CRL Number configurable.
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
Diffstat (limited to 'base/ca/src/com/netscape')
| -rw-r--r-- | base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 65 |
1 files changed, 45 insertions, 20 deletions
diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index fc9e6a355..a593eb897 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -31,6 +31,23 @@ import java.util.StringTokenizer; import java.util.TimeZone; import java.util.Vector; +import netscape.security.util.BitArray; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.CRLNumberExtension; +import netscape.security.x509.CRLReasonExtension; +import netscape.security.x509.DeltaCRLIndicatorExtension; +import netscape.security.x509.Extension; +import netscape.security.x509.FreshestCRLExtension; +import netscape.security.x509.IssuingDistributionPoint; +import netscape.security.x509.IssuingDistributionPointExtension; +import netscape.security.x509.RevocationReason; +import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.RevokedCertificate; +import netscape.security.x509.X509CRLImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509ExtensionException; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; @@ -66,23 +83,6 @@ import com.netscape.cmscore.dbs.CertRecord; import com.netscape.cmscore.dbs.CertificateRepository; import com.netscape.cmscore.util.Debug; -import netscape.security.util.BitArray; -import netscape.security.x509.AlgorithmId; -import netscape.security.x509.CRLExtensions; -import netscape.security.x509.CRLNumberExtension; -import netscape.security.x509.CRLReasonExtension; -import netscape.security.x509.DeltaCRLIndicatorExtension; -import netscape.security.x509.Extension; -import netscape.security.x509.FreshestCRLExtension; -import netscape.security.x509.IssuingDistributionPoint; -import netscape.security.x509.IssuingDistributionPointExtension; -import netscape.security.x509.RevocationReason; -import netscape.security.x509.RevokedCertImpl; -import netscape.security.x509.RevokedCertificate; -import netscape.security.x509.X509CRLImpl; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509ExtensionException; - /** * This class encapsulates CRL issuing mechanism. CertificateAuthority * contains a map of CRLIssuingPoint indexed by string ids. Each issuing @@ -112,6 +112,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { private static final int CRL_PAGE_SIZE = 10000; + private static final String PROP_CRL_STARTING_NUMBER = "startingCrlNumber"; + /* configuration file property names */ public IPublisherProcessor mPublisherProcessor = null; @@ -923,13 +925,36 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (crlRecord == null) { // no crl was ever created, or crl in db is corrupted. // create new one. + + IConfigStore ipStore = mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE).getSubStore(mId); try { - crlRecord = new CRLIssuingPointRecord(mId, BigInteger.ZERO, Long.valueOf(-1), + + BigInteger startingCrlNumberBig = ipStore.getBigInteger(PROP_CRL_STARTING_NUMBER, BigInteger.ZERO); + CMS.debug("startingCrlNumber: " + startingCrlNumberBig); + + // Check for bogus negative value + + if(startingCrlNumberBig.compareTo(BigInteger.ZERO) < 0) { + //Make it the default of ZERO + startingCrlNumberBig = BigInteger.ZERO; + } + + crlRecord = new CRLIssuingPointRecord(mId, startingCrlNumberBig, Long.valueOf(-1), null, null, BigInteger.ZERO, Long.valueOf(-1), mRevokedCerts, mUnrevokedCerts, mExpiredCerts); mCRLRepository.addCRLIssuingPointRecord(crlRecord); - mCRLNumber = BigInteger.ZERO; //BIG_ZERO; - mNextCRLNumber = BigInteger.ONE; //BIG_ONE; + mCRLNumber = startingCrlNumberBig; + + // The default case calls for ZERO being the starting point where + // it is then incremented by one to ONE + // If we specificy an explicit starting point, + // We want that exact number to be the next CRL Number. + if(mCRLNumber.compareTo(BigInteger.ZERO) == 0) { + mNextCRLNumber = BigInteger.ONE; + } else { + mNextCRLNumber = mCRLNumber; + } + mLastCRLNumber = mCRLNumber; mDeltaCRLNumber = mCRLNumber; mNextDeltaCRLNumber = mNextCRLNumber; |