diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/servlet/cert/CertService.java')
-rw-r--r-- | base/common/src/com/netscape/cms/servlet/cert/CertService.java | 40 |
1 files changed, 28 insertions, 12 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/cert/CertService.java b/base/common/src/com/netscape/cms/servlet/cert/CertService.java index 9b7b9d45e..6abe81f2f 100644 --- a/base/common/src/com/netscape/cms/servlet/cert/CertService.java +++ b/base/common/src/com/netscape/cms/servlet/cert/CertService.java @@ -25,11 +25,10 @@ import java.net.URI; import java.security.Principal; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Date; -import java.util.Enumeration; -import java.util.List; +import java.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.cmscore.realm.PKIPrincipal; import netscape.security.pkcs.ContentInfo; import netscape.security.pkcs.PKCS7; import netscape.security.pkcs.SignerInfo; @@ -40,11 +39,6 @@ import netscape.security.x509.X509CertImpl; import org.jboss.resteasy.plugins.providers.atom.Link; import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.base.BadRequestException; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.ICertPrettyPrint; -import com.netscape.certsrv.base.PKIException; -import com.netscape.certsrv.base.UnauthorizedException; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.cert.CertData; import com.netscape.certsrv.cert.CertDataInfo; @@ -76,11 +70,17 @@ public class CertService extends PKIService implements CertResource { ICertificateAuthority authority; ICertificateRepository repo; + Random random; + Nonces nonces; public final static int DEFAULT_SIZE = 20; public CertService() { authority = (ICertificateAuthority) CMS.getSubsystem("ca"); + if (authority.noncesEnabled()) { + random = new Random(); + nonces = authority.getNonces(); + } repo = authority.getCertificateRepository(); } @@ -104,9 +104,9 @@ public class CertService extends PKIService implements CertResource { } catch (EDBRecordNotFoundException e) { throw new CertNotFoundException(id); } catch (EBaseException e) { - throw new PKIException("Problem returning certificate: " + id); + throw new PKIException(e.getMessage(), e); } catch (CertificateEncodingException e) { - throw new PKIException("Problem encoding certificate searched for: " + id); + throw new PKIException(e.getMessage(), e); } return certData; @@ -178,11 +178,19 @@ public class CertService extends PKIService implements CertResource { } // Find target cert record if different from client cert. + processor.validateNonce(clientCert, request.getNonce()); + ICertRecord targetRecord = id.equals(clientSerialNumber) ? clientRecord : processor.getCertificateRecord(id); X509CertImpl targetCert = targetRecord.getCertificate(); processor.createCRLExtension(); - processor.validateCertificateToRevoke(clientSubjectDN, targetRecord, caCert); + + PKIPrincipal principal = (PKIPrincipal)servletRequest.getUserPrincipal(); + // TODO: do not hard-code role name + String subjectDN = principal.hasRole("Certificate Manager Agents") ? + null : clientSubjectDN; + + processor.validateCertificateToRevoke(subjectDN, targetRecord, caCert); processor.addCertificateToRevoke(targetCert); processor.createRevocationRequest(); @@ -444,6 +452,14 @@ public class CertService extends PKIService implements CertResource { certData.setStatus(record.getStatus()); + if (nonces != null) { + long n = random.nextLong(); + long m = nonces.addNonce(n, Processor.getSSLClientCertificate(servletRequest)); + if (n + m != 0) { + certData.setNonce(m); + } + } + URI uri = uriInfo.getBaseUriBuilder().path(CertResource.class).path("{id}").build(certId.toHexString()); certData.setLink(new Link("self", uri)); |