summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src/com/netscape
diff options
context:
space:
mode:
authorChristina Fu <cfu@redhat.com>2017-06-05 08:50:25 -0700
committerChristina Fu <cfu@redhat.com>2017-06-05 11:18:38 -0700
commitaa39354dbbf9df404f6ad374c837db0c421f2705 (patch)
tree5d86f32220481ec94b240d3904b27adbe7e565e2 /base/server/cms/src/com/netscape
parent6f3b1e546d43871eee9e57fb21735601a4fce0f0 (diff)
downloadpki-aa39354dbbf9df404f6ad374c837db0c421f2705.tar.gz
pki-aa39354dbbf9df404f6ad374c837db0c421f2705.tar.xz
pki-aa39354dbbf9df404f6ad374c837db0c421f2705.zip
Ticket #2617 part2: add revocation check to signing cert
Diffstat (limited to 'base/server/cms/src/com/netscape')
-rw-r--r--base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java19
1 files changed, 19 insertions, 0 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
index 2128c1e30..a18c25ee3 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
@@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
+import java.security.cert.CertificateExpiredException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.util.Enumeration;
@@ -1076,7 +1077,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
si.verify(digest, id, pubK);
}
CMS.debug(method + "finished checking signature");
+
// verify signer's certificate using the revocator
+ // ...or not; I think it just checks usage and
+ // validity, but not revocation status
if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) {
CMS.debug(method + "CMC signature failed to be verified");
s.close();
@@ -1086,6 +1090,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
}
// At this point, the signature has been verified;
+ // now check revocation status of the cert
+ if (CMS.isRevoked(x509Certs)) {
+ CMS.debug(method + "CMC signing cert is a revoked certificate");
+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+ }
+ try { //do this again anyways
+ cert.checkValidity();
+ } catch (CertificateExpiredException e) {
+ CMS.debug(method + "CMC signing cert is an expired certificate");
+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+ } catch (Exception e) {
+ CMS.debug(method + e.toString());
+ throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+ }
+
IAuthToken tempToken = new AuthToken(null);
/*
netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();