diff options
author | Andrew Wnuk <awnuk@redhat.com> | 2012-07-10 08:55:39 -0700 |
---|---|---|
committer | Andrew Wnuk <awnuk@redhat.com> | 2012-07-10 08:55:39 -0700 |
commit | 90b781662d18e8336e99421734f9aad4b524d44e (patch) | |
tree | f65ea78318640e753fba2eb22b52c2ea9d068256 /base | |
parent | 759d54747b779a1cb11f1b9fbfe8166e62dde03d (diff) | |
download | pki-90b781662d18e8336e99421734f9aad4b524d44e.tar.gz pki-90b781662d18e8336e99421734f9aad4b524d44e.tar.xz pki-90b781662d18e8336e99421734f9aad4b524d44e.zip |
CMC revocation
This patch provides verification of revocation reasons and proper handling for removeFromCRLrevocation reason.
Bug: 441354.
Diffstat (limited to 'base')
-rw-r--r-- | base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java index ad818d89b..b7120010a 100644 --- a/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +++ b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java @@ -384,6 +384,12 @@ public class CMCRevReqServlet extends CMSServlet { // Construct a CRL reason code extension. RevocationReason revReason = RevocationReason.fromInt(reason); + header.addIntegerValue("reasonCode", reason); + if (revReason != null) { + header.addStringValue("reason", revReason.toString()); + } else { + header.addStringValue("error", "Invalid revocation reason: "+reason); + } CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason); // Construct a CRL invalidity date extension. @@ -416,7 +422,8 @@ public class CMCRevReqServlet extends CMSServlet { rarg.addBigIntegerValue("serialNumber", cert.getSerialNumber(), 16); - if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { + if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) && + (revReason == null || revReason != RevocationReason.REMOVE_FROM_CRL)) { rarg.addStringValue("error", "Certificate " + cert.getSerialNumber().toString() + " is already revoked."); @@ -521,14 +528,20 @@ public class CMCRevReqServlet extends CMSServlet { X509CertImpl[] oldCerts = new X509CertImpl[count]; RevokedCertImpl[] revCertImpls = new RevokedCertImpl[count]; + BigInteger[] certSerialNumbers = new BigInteger[count]; for (int i = 0; i < count; i++) { oldCerts[i] = oldCertsV.elementAt(i); revCertImpls[i] = revCertImplsV.elementAt(i); + certSerialNumbers[i] = oldCerts[i].getSerialNumber(); } - IRequest revReq = - mQueue.newRequest(IRequest.REVOCATION_REQUEST); + IRequest revReq = null; + if (revReason != null && revReason == RevocationReason.REMOVE_FROM_CRL) { + revReq = mQueue.newRequest(IRequest.UNREVOCATION_REQUEST); + } else { + revReq = mQueue.newRequest(IRequest.REVOCATION_REQUEST); + } // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -541,13 +554,18 @@ public class CMCRevReqServlet extends CMSServlet { audit(auditMessage); - revReq.setExtData(IRequest.CERT_INFO, revCertImpls); - revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT); - revReq.setExtData(IRequest.REVOKED_REASON, reason); - revReq.setExtData(IRequest.OLD_CERTS, oldCerts); - if (comments != null) { - revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); + if (revReason != null && revReason == RevocationReason.REMOVE_FROM_CRL) { + revReq.setExtData(IRequest.REQ_TYPE, IRequest.UNREVOCATION_REQUEST); + revReq.setExtData(IRequest.OLD_SERIALS, certSerialNumbers); + } else { + revReq.setExtData(IRequest.CERT_INFO, revCertImpls); + revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); + revReq.setExtData(IRequest.REVOKED_REASON, reason); + revReq.setExtData(IRequest.OLD_CERTS, oldCerts); + if (comments != null) { + revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); + } } // change audit processing from "REQUEST" to "REQUEST_PROCESSED" |