diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/servlet/cert/CertService.java')
| -rw-r--r-- | base/common/src/com/netscape/cms/servlet/cert/CertService.java | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/cert/CertService.java b/base/common/src/com/netscape/cms/servlet/cert/CertService.java index 9b7b9d45e..4810566b1 100644 --- a/base/common/src/com/netscape/cms/servlet/cert/CertService.java +++ b/base/common/src/com/netscape/cms/servlet/cert/CertService.java @@ -29,6 +29,7 @@ import java.util.ArrayList; import java.util.Date; import java.util.Enumeration; import java.util.List; +import java.util.Random; import netscape.security.pkcs.ContentInfo; import netscape.security.pkcs.PKCS7; @@ -43,6 +44,7 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ICertPrettyPrint; +import com.netscape.certsrv.base.Nonces; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.UnauthorizedException; import com.netscape.certsrv.ca.ICertificateAuthority; @@ -65,6 +67,7 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.IRequest; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.processors.Processor; +import com.netscape.cmscore.realm.PKIPrincipal; import com.netscape.cmsutil.ldap.LDAPUtil; import com.netscape.cmsutil.util.Utils; @@ -76,11 +79,17 @@ public class CertService extends PKIService implements CertResource { ICertificateAuthority authority; ICertificateRepository repo; + Random random; + Nonces nonces; public final static int DEFAULT_SIZE = 20; public CertService() { authority = (ICertificateAuthority) CMS.getSubsystem("ca"); + if (authority.noncesEnabled()) { + random = new Random(); + nonces = authority.getNonces(); + } repo = authority.getCertificateRepository(); } @@ -104,9 +113,9 @@ public class CertService extends PKIService implements CertResource { } catch (EDBRecordNotFoundException e) { throw new CertNotFoundException(id); } catch (EBaseException e) { - throw new PKIException("Problem returning certificate: " + id); + throw new PKIException(e.getMessage(), e); } catch (CertificateEncodingException e) { - throw new PKIException("Problem encoding certificate searched for: " + id); + throw new PKIException(e.getMessage(), e); } return certData; @@ -177,12 +186,20 @@ public class CertService extends PKIService implements CertResource { } } + processor.validateNonce(clientCert, request.getNonce()); + // Find target cert record if different from client cert. ICertRecord targetRecord = id.equals(clientSerialNumber) ? clientRecord : processor.getCertificateRecord(id); X509CertImpl targetCert = targetRecord.getCertificate(); processor.createCRLExtension(); - processor.validateCertificateToRevoke(clientSubjectDN, targetRecord, caCert); + + PKIPrincipal principal = (PKIPrincipal)servletRequest.getUserPrincipal(); + // TODO: do not hard-code role name + String subjectDN = principal.hasRole("Certificate Manager Agents") ? + null : clientSubjectDN; + + processor.validateCertificateToRevoke(subjectDN, targetRecord, caCert); processor.addCertificateToRevoke(targetCert); processor.createRevocationRequest(); @@ -444,6 +461,14 @@ public class CertService extends PKIService implements CertResource { certData.setStatus(record.getStatus()); + if (nonces != null) { + long n = random.nextLong(); + long m = nonces.addNonce(n, Processor.getSSLClientCertificate(servletRequest)); + if (n + m != 0) { + certData.setNonce(m); + } + } + URI uri = uriInfo.getBaseUriBuilder().path(CertResource.class).path("{id}").build(certId.toHexString()); certData.setLink(new Link("self", uri)); |