diff options
author | Endi S. Dewata <edewata@redhat.com> | 2016-04-22 01:45:29 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-04-26 00:28:59 +0200 |
commit | 929094c92be6ad5d8314aa2b9dbeac5ddcf4229b (patch) | |
tree | a84aefc0f4e71ebb335601e111aa312ef44a9d02 /base/tps/src | |
parent | ff29573f7425256e4ebfa4ddb11cfebde19de980 (diff) | |
download | pki-929094c92be6ad5d8314aa2b9dbeac5ddcf4229b.tar.gz pki-929094c92be6ad5d8314aa2b9dbeac5ddcf4229b.tar.xz pki-929094c92be6ad5d8314aa2b9dbeac5ddcf4229b.zip |
Added TPSTokendb.revokeCert() and unrevokeCert().
The code in TPSTokendb.revokeCertsByCUID() has been split into
revokeCert() and unrevokeCert() to allow handling each operation
separately.
Diffstat (limited to 'base/tps/src')
-rw-r--r-- | base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java | 176 |
1 files changed, 121 insertions, 55 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java index f50fd46f4..0d0545322 100644 --- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java +++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java @@ -379,6 +379,125 @@ public class TPSTokendb { return true; } + private void revokeCert(TokenRecord tokenRecord, TPSCertRecord cert, String tokenReason, + String ipAddress, String remoteUser) { + + String method = "TPSTokendb.revokeCert"; + String logMsg; + + try { + + IConfigStore configStore = CMS.getConfigStore(); + + // get conn ID + String config = "op.enroll." + cert.getType() + ".keyGen." + cert.getKeyType() + ".ca.conn"; + String connID = configStore.getString(config); + + RevocationReason revokeReason = RevocationReason.UNSPECIFIED; + + logMsg = "called to revoke"; + CMS.debug(method + ": " + logMsg); + boolean revokeCert = shouldRevoke(tokenRecord, cert, tokenReason, ipAddress, remoteUser); + + if (!revokeCert) { + logMsg = "certificate not to be revoked:" + cert.getSerialNumber(); + CMS.debug(method + ":" + logMsg); + return; + } + + logMsg = "certificate to be revoked:" + cert.getSerialNumber(); + CMS.debug(method + ": " + logMsg); + + // get revoke reason + config = "op.enroll." + cert.getType() + ".keyGen." + cert.getKeyType() + + ".recovery." + tokenReason + ".revokeCert.reason"; + int reasonInt = configStore.getInteger(config, 0); + revokeReason = RevocationReason.fromInt(reasonInt); + + CARemoteRequestHandler caRH = new CARemoteRequestHandler(connID); + BigInteger bInt = cert.getSerialNumberInBigInteger(); + String serialStr = bInt.toString(); + CMS.debug(method + ": found cert hex serial: " + cert.getSerialNumber() + + " dec serial: " + serialStr); + CARevokeCertResponse response = + caRH.revokeCertificate(true, serialStr, cert.getCertificate(), + revokeReason); + CMS.debug(method + ": response status: " + response.getStatus()); + + // update certificate status + if (revokeReason == RevocationReason.CERTIFICATE_HOLD) { + updateCertsStatus(cert.getSerialNumber(), cert.getIssuedBy(), "revoked_on_hold"); + } else { + updateCertsStatus(cert.getSerialNumber(), cert.getIssuedBy(), "revoked"); + } + + logMsg = "certificate revoked: " + cert.getSerialNumber(); + CMS.debug(method + ": " + logMsg); + + //TODO: tdbActivity + + } catch (Exception e) { + logMsg = "certificate not revoked: " + cert.getSerialNumber() + ": " + e; + CMS.debug(method + ": " + logMsg); + + //TODO: tdbActivity + + // continue revoking the next certificate + } + } + + private void unrevokeCert(TokenRecord tokenRecord, TPSCertRecord cert, String tokenReason, + String ipAddress, String remoteUser) { + + String method = "TPSTokendb.unrevokeCert"; + String logMsg; + + try { + IConfigStore configStore = CMS.getConfigStore(); + + // get conn ID + String config = "op.enroll." + cert.getType() + ".keyGen." + cert.getKeyType() + ".ca.conn"; + String connID = configStore.getString(config); + + RevocationReason revokeReason = RevocationReason.UNSPECIFIED; + + logMsg = "called to unrevoke"; + CMS.debug(method + ": " + logMsg); + + if (!cert.getStatus().equalsIgnoreCase("revoked_on_hold")) { + logMsg = "certificate record current status is not revoked_on_hold; cannot unrevoke"; + CMS.debug(method + ": " + logMsg); + return; // TODO: continue or bail? + } + + CARemoteRequestHandler caRH = new CARemoteRequestHandler(connID); + BigInteger bInt = cert.getSerialNumberInBigInteger(); + String serialStr = bInt.toString(); + CMS.debug(method + ": found cert hex serial: " + cert.getSerialNumber() + + " dec serial: " + serialStr); + CARevokeCertResponse response = + caRH.revokeCertificate(false, serialStr, cert.getCertificate(), + revokeReason); + CMS.debug(method + ": response status: " + response.getStatus()); + + // update certificate status + updateCertsStatus(cert.getSerialNumber(), cert.getIssuedBy(), "active"); + + logMsg = "certificate unrevoked: " + cert.getSerialNumber(); + CMS.debug(method + ": " + logMsg); + + //TODO: tdbActivity + + } catch (Exception e) { + logMsg = "certificate not unrevoked: " + cert.getSerialNumber() + " : " + e; + CMS.debug(method + ": " + logMsg); + + //TODO: tdbActivity + + // continue unrevoking the next certificate + } + } + private boolean shouldRevoke(TokenRecord tokenRecord, TPSCertRecord cert, String tokenReason, String ipAddress, String remoteUser) throws Exception { IConfigStore configStore = CMS.getConfigStore(); @@ -483,64 +602,11 @@ public class TPSTokendb { IConfigStore configStore = CMS.getConfigStore(); for (TPSCertRecord cert : certRecords) { - // get conn id - String config = "op.enroll." + cert.getType() + ".keyGen." + cert.getKeyType() + ".ca.conn"; - String connID = configStore.getString(config); - - RevocationReason revokeReason = RevocationReason.UNSPECIFIED; - if (isRevoke) { - logMsg = "called to revoke"; - CMS.debug(method + ":" + logMsg); - boolean revokeCert = shouldRevoke(tokenRecord, cert, tokenReason, ipAddress, remoteUser); - - if (!revokeCert) { - logMsg = "cert not to be revoked:" + cert.getSerialNumber(); - CMS.debug(method + ":" + logMsg); - continue; - } - logMsg = "cert to be revoked:" + cert.getSerialNumber(); - CMS.debug(method + ":" + logMsg); - - // get revoke reason - config = "op.enroll." + cert.getType() + ".keyGen." + cert.getKeyType() + - ".recovery." + tokenReason + ".revokeCert.reason"; - int reasonInt = configStore.getInteger(config, 0); - revokeReason = RevocationReason.fromInt(reasonInt); - } else { // is unrevoke - logMsg = "called to unrevoke"; - CMS.debug(method + ":" + logMsg); - if (!cert.getStatus().equalsIgnoreCase("revoked_on_hold")) { - logMsg = "cert record current status is not revoked_on_hold; cannot unrevoke"; - CMS.debug(method + ":" + logMsg); - continue;// TODO: continue or bail? - } - } - - CARemoteRequestHandler caRH = new CARemoteRequestHandler(connID); - BigInteger bInt = cert.getSerialNumberInBigInteger(); - String serialStr = bInt.toString(); - CMS.debug(method + ": found cert hex serial: " + cert.getSerialNumber() + - " dec serial: " + serialStr); - CARevokeCertResponse response = - caRH.revokeCertificate(isRevoke, serialStr, cert.getCertificate(), - revokeReason); - CMS.debug(method + ": response status: " + response.getStatus()); - - // update certificate status - if (isRevoke) { - if (revokeReason == RevocationReason.CERTIFICATE_HOLD) { - updateCertsStatus(cert.getSerialNumber(), cert.getIssuedBy(), "revoked_on_hold"); - } else { - updateCertsStatus(cert.getSerialNumber(), cert.getIssuedBy(), "revoked"); - } + revokeCert(tokenRecord, cert, tokenReason, ipAddress, remoteUser); } else { - updateCertsStatus(cert.getSerialNumber(), cert.getIssuedBy(), "active"); + unrevokeCert(tokenRecord, cert, tokenReason, ipAddress, remoteUser); } - - logMsg = "cert (un)revoked:" + cert.getSerialNumber(); - CMS.debug(method + ":" + logMsg); - //TODO: tdbActivity } } |