diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-10-09 02:54:18 -0400 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2015-10-21 19:55:36 -0400 |
commit | bb3329f19180df9935c8571563eab2f47e31c522 (patch) | |
tree | fe29c86366be833238e9331a557560ba64a7307b /base | |
parent | 465fa069ba67d655be28e1a3b9417dff19148e9f (diff) | |
download | pki-bb3329f19180df9935c8571563eab2f47e31c522.tar.gz pki-bb3329f19180df9935c8571563eab2f47e31c522.tar.xz pki-bb3329f19180df9935c8571563eab2f47e31c522.zip |
CRLIP: omit certs not issued by associated CA
Lightweight CAs mean that a single database can include certificates
from many issuers. Update CRLIssuingPoint to only include
certificates issued by its associated CA.
For backwards compatibility, if the associated CA is the host CA,
certificate records with missing 'issuerName' attribute are also
included.
Fixes: https://fedorahosted.org/pki/ticket/1626
Diffstat (limited to 'base')
-rw-r--r-- | base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index fe230e937..f6eaf7287 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -1868,11 +1868,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + ")"; } + String issuerFilter = + "(" + CertRecord.ATTR_X509CERT_ISSUER + + "=" + mCA.getX500Name().toString() + ")"; + // host authority may be absent issuer attribute + if (mCA.isHostAuthority()) { + issuerFilter = + "(|" + + "(!(" + CertRecord.ATTR_X509CERT_ISSUER + "=*))" + + issuerFilter + + ")"; + } + filter += issuerFilter; + // get all revoked non-expired certs. - if (mEndSerial != null || mBeginSerial != null || mCACertsOnly || - (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0)) { - filter = "(&" + filter + ")"; - } + filter = "(&" + filter + ")"; return filter; } |