diff options
author | Christina Fu <cfu@redhat.com> | 2017-06-05 08:50:25 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2017-06-05 11:18:38 -0700 |
commit | aa39354dbbf9df404f6ad374c837db0c421f2705 (patch) | |
tree | 5d86f32220481ec94b240d3904b27adbe7e565e2 /base/server/cms | |
parent | 6f3b1e546d43871eee9e57fb21735601a4fce0f0 (diff) | |
download | pki-aa39354dbbf9df404f6ad374c837db0c421f2705.tar.gz pki-aa39354dbbf9df404f6ad374c837db0c421f2705.tar.xz pki-aa39354dbbf9df404f6ad374c837db0c421f2705.zip |
Ticket #2617 part2: add revocation check to signing cert
Diffstat (limited to 'base/server/cms')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java index 2128c1e30..a18c25ee3 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java @@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; +import java.security.cert.CertificateExpiredException; import java.security.MessageDigest; import java.security.PublicKey; import java.util.Enumeration; @@ -1076,7 +1077,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, si.verify(digest, id, pubK); } CMS.debug(method + "finished checking signature"); + // verify signer's certificate using the revocator + // ...or not; I think it just checks usage and + // validity, but not revocation status if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { CMS.debug(method + "CMC signature failed to be verified"); s.close(); @@ -1086,6 +1090,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, } // At this point, the signature has been verified; + // now check revocation status of the cert + if (CMS.isRevoked(x509Certs)) { + CMS.debug(method + "CMC signing cert is a revoked certificate"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + try { //do this again anyways + cert.checkValidity(); + } catch (CertificateExpiredException e) { + CMS.debug(method + "CMC signing cert is an expired certificate"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } catch (Exception e) { + CMS.debug(method + e.toString()); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + IAuthToken tempToken = new AuthToken(null); /* netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); |