diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-09-30 23:46:36 -0400 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-02-22 16:44:50 -0500 |
commit | 754b15db85c22903b3f9b18742ab2649fc556ad3 (patch) | |
tree | 39827df5a55801e54f0505d87221fd03b4058dd9 /base/ca/src | |
parent | c32dd90ef638e9653136eeb901426c56b511fda4 (diff) | |
download | pki-754b15db85c22903b3f9b18742ab2649fc556ad3.tar.gz pki-754b15db85c22903b3f9b18742ab2649fc556ad3.tar.xz pki-754b15db85c22903b3f9b18742ab2649fc556ad3.zip |
Lightweight CAs: ensure disabled CA cannot create sub-CAs
Fixes: https://fedorahosted.org/pki/ticket/1628
Diffstat (limited to 'base/ca/src')
-rw-r--r-- | base/ca/src/com/netscape/ca/CertificateAuthority.java | 3 | ||||
-rw-r--r-- | base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java | 3 |
2 files changed, 5 insertions, 1 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index 449da301f..d2afa64f8 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -2409,6 +2409,9 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori String subjectDN, String description) throws EBaseException { + if (!authorityEnabled) + throw new CADisabledException("Parent CA is disabled"); + // check requested DN X500Name subjectX500Name = null; try { diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java index b23a4b853..b77788378 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java @@ -43,6 +43,7 @@ import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceNotFoundException; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.CAEnabledException; +import com.netscape.certsrv.ca.CADisabledException; import com.netscape.certsrv.ca.CANotFoundException; import com.netscape.certsrv.ca.CANotLeafException; import com.netscape.certsrv.ca.CATypeException; @@ -186,7 +187,7 @@ public class AuthorityService extends PKIService implements AuthorityResource { throw new BadRequestException(e.toString()); } catch (CANotFoundException e) { throw new ResourceNotFoundException(e.toString()); - } catch (IssuerUnavailableException e) { + } catch (IssuerUnavailableException | CADisabledException e) { throw new ConflictingOperationException(e.toString()); } catch (Exception e) { CMS.debug(e); |