From 5e1099d21288fc23eb41b68d0e21fb683019d08c Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Wed, 9 Jan 2013 18:44:54 -0800
Subject: Bug 839426 - [RFE] ECC CRL support for OCSP

---
 .../netscape/cms/servlet/ocsp/AddCRLServlet.java   | 24 +++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/base/common/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java b/base/common/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
index ff2d76029..c144d6e39 100644
--- a/base/common/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
+++ b/base/common/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
@@ -34,6 +34,7 @@ import netscape.security.x509.X509CertImpl;
 import netscape.security.x509.X509ExtensionException;
 
 import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.CryptoToken;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
@@ -339,13 +340,30 @@ public class AddCRLServlet extends CMSServlet {
                     pt.getThisUpdate());
 
             // verify CRL
+            CryptoManager cmanager = null;
+            boolean tokenSwitched = false;
+            CryptoToken verToken = null;
+            CryptoToken savedToken = null;
             byte caCertData[] = pt.getCACert();
             if (caCertData != null) {
                 try {
+                    cmanager = CryptoManager.getInstance();
                     X509CertImpl caCert = new X509CertImpl(caCertData);
                     CMS.debug("AddCRLServlet: start verify");
 
-                    CryptoManager cmanager = CryptoManager.getInstance();
+                    String tokenName =
+                        CMS.getConfigStore().getString("ocsp.crlVerify.token", "internal");
+                    savedToken = cmanager.getThreadToken();
+                    if (tokenName.equals("internal")) {
+                        verToken = cmanager.getInternalCryptoToken();
+                    } else {
+                        verToken = cmanager.getTokenByName(tokenName);
+                    }
+                    if (!savedToken.getName().equals(verToken.getName())) {
+                        cmanager.setThreadToken(verToken);
+                        tokenSwitched = true;
+                    }
+
                     org.mozilla.jss.crypto.X509Certificate jssCert = null;
                     try {
                         jssCert = cmanager.importCACertPackage(
@@ -392,6 +410,10 @@ public class AddCRLServlet extends CMSServlet {
 
                     throw new ECMSGWException(
                             CMS.getUserMessage("CMS_GW_DECODING_CRL_ERROR"));
+                } finally {
+                    if (tokenSwitched == true){
+                        cmanager.setThreadToken(savedToken);
+                    }
                 }
             }
 
-- 
cgit