From 90b781662d18e8336e99421734f9aad4b524d44e Mon Sep 17 00:00:00 2001 From: Andrew Wnuk Date: Tue, 10 Jul 2012 08:55:39 -0700 Subject: CMC revocation This patch provides verification of revocation reasons and proper handling for removeFromCRLrevocation reason. Bug: 441354. --- .../cms/servlet/cert/CMCRevReqServlet.java | 36 ++++++++++++++++------ 1 file changed, 27 insertions(+), 9 deletions(-) (limited to 'base/common/src/com/netscape') diff --git a/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java index ad818d89b..b7120010a 100644 --- a/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +++ b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java @@ -384,6 +384,12 @@ public class CMCRevReqServlet extends CMSServlet { // Construct a CRL reason code extension. RevocationReason revReason = RevocationReason.fromInt(reason); + header.addIntegerValue("reasonCode", reason); + if (revReason != null) { + header.addStringValue("reason", revReason.toString()); + } else { + header.addStringValue("error", "Invalid revocation reason: "+reason); + } CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason); // Construct a CRL invalidity date extension. @@ -416,7 +422,8 @@ public class CMCRevReqServlet extends CMSServlet { rarg.addBigIntegerValue("serialNumber", cert.getSerialNumber(), 16); - if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { + if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) && + (revReason == null || revReason != RevocationReason.REMOVE_FROM_CRL)) { rarg.addStringValue("error", "Certificate " + cert.getSerialNumber().toString() + " is already revoked."); @@ -521,14 +528,20 @@ public class CMCRevReqServlet extends CMSServlet { X509CertImpl[] oldCerts = new X509CertImpl[count]; RevokedCertImpl[] revCertImpls = new RevokedCertImpl[count]; + BigInteger[] certSerialNumbers = new BigInteger[count]; for (int i = 0; i < count; i++) { oldCerts[i] = oldCertsV.elementAt(i); revCertImpls[i] = revCertImplsV.elementAt(i); + certSerialNumbers[i] = oldCerts[i].getSerialNumber(); } - IRequest revReq = - mQueue.newRequest(IRequest.REVOCATION_REQUEST); + IRequest revReq = null; + if (revReason != null && revReason == RevocationReason.REMOVE_FROM_CRL) { + revReq = mQueue.newRequest(IRequest.UNREVOCATION_REQUEST); + } else { + revReq = mQueue.newRequest(IRequest.REVOCATION_REQUEST); + } // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -541,13 +554,18 @@ public class CMCRevReqServlet extends CMSServlet { audit(auditMessage); - revReq.setExtData(IRequest.CERT_INFO, revCertImpls); - revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT); - revReq.setExtData(IRequest.REVOKED_REASON, reason); - revReq.setExtData(IRequest.OLD_CERTS, oldCerts); - if (comments != null) { - revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); + if (revReason != null && revReason == RevocationReason.REMOVE_FROM_CRL) { + revReq.setExtData(IRequest.REQ_TYPE, IRequest.UNREVOCATION_REQUEST); + revReq.setExtData(IRequest.OLD_SERIALS, certSerialNumbers); + } else { + revReq.setExtData(IRequest.CERT_INFO, revCertImpls); + revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); + revReq.setExtData(IRequest.REVOKED_REASON, reason); + revReq.setExtData(IRequest.OLD_CERTS, oldCerts); + if (comments != null) { + revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); + } } // change audit processing from "REQUEST" to "REQUEST_PROCESSED" -- cgit