diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/servlet/cert/RevocationProcessor.java')
-rw-r--r-- | base/common/src/com/netscape/cms/servlet/cert/RevocationProcessor.java | 55 |
1 files changed, 19 insertions, 36 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/cert/RevocationProcessor.java b/base/common/src/com/netscape/cms/servlet/cert/RevocationProcessor.java index 341314887..e555d1ac6 100644 --- a/base/common/src/com/netscape/cms/servlet/cert/RevocationProcessor.java +++ b/base/common/src/com/netscape/cms/servlet/cert/RevocationProcessor.java @@ -26,7 +26,12 @@ import java.util.ArrayList; import java.util.Collection; import java.util.Date; import java.util.Locale; +import java.util.Map; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; + +import com.netscape.certsrv.authorization.EAuthzException; import netscape.security.x509.CRLExtensions; import netscape.security.x509.CRLReasonExtension; import netscape.security.x509.InvalidityDateExtension; @@ -39,6 +44,7 @@ import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.ForbiddenException; +import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.UnauthorizedException; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.dbs.certdb.CertId; @@ -188,47 +194,24 @@ public class RevocationProcessor extends CertProcessor { return request; } - public void validateNonce(X509Certificate clientCert, Long nonce) { + public boolean isMemberOfSubsystemGroup(X509Certificate clientCert) { - if (nonces != null) { - boolean nonceVerified = false; - boolean skipNonceVerification = false; + if (clientCert == null) { + return false; + } - if (clientCert != null) { - X509Certificate certChain[] = new X509Certificate[1]; - certChain[0] = clientCert; - IUser user = null; - try { - user = ul.locateUser(new Certificates(certChain)); - } catch (Exception e) { - CMS.debug("RevocationProcessor: Failed to map certificate '" + - clientCert.getSubjectDN().getName() + "' to user."); - } - if (ug.isMemberOf(user, "Subsystem Group")) { - skipNonceVerification = true; - } - } + try { + X509Certificate certChain[] = new X509Certificate[1]; + certChain[0] = clientCert; - if (nonce != null) { - X509Certificate storedCert = nonces.getCertificate(nonce); - if (storedCert == null) { - CMS.debug("RevocationProcessor: Unknown nonce"); + IUser user = ul.locateUser(new Certificates(certChain)); + return ug.isMemberOf(user, "Subsystem Group"); - } else if (clientCert != null && storedCert.equals(clientCert)) { - nonceVerified = true; - nonces.removeNonce(nonce); - } - } else { - CMS.debug("RevocationProcessor: Missing nonce"); - } - - CMS.debug("RevocationProcessor: nonceVerified=" + nonceVerified); - CMS.debug("RevocationProcessor: skipNonceVerification=" + skipNonceVerification); - if ((!nonceVerified) && (!skipNonceVerification)) { - throw new ForbiddenException("Invalid nonce."); - } + } catch (Exception e) { + CMS.debug("RevocationProcessor: Failed to map certificate '" + + clientCert.getSubjectDN().getName() + "' to user."); + return false; } - } public void validateCertificateToRevoke(String subjectDN, ICertRecord targetRecord, boolean revokingCACert) { |