From 88322df4cb62f7b4e38213e141d969fb0093afa8 Mon Sep 17 00:00:00 2001 From: Andrew Wnuk Date: Mon, 9 Jul 2012 17:38:12 -0700 Subject: CMC revocation This patch provides verification of revocation reasons and proper handling for removeFromCRLrevocation reason. Bug: 441354. --- .../cms/servlet/cert/CMCRevReqServlet.java | 36 ++++++++++++++++------ 1 file changed, 27 insertions(+), 9 deletions(-) (limited to 'base') diff --git a/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java index 9ed435c07..6afc87639 100644 --- a/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java +++ b/base/common/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java @@ -464,6 +464,12 @@ CMS.debug("**** mFormPath = "+mFormPath); // Construct a CRL reason code extension. RevocationReason revReason = RevocationReason.fromInt(reason); + header.addIntegerValue("reasonCode", reason); + if (revReason != null) { + header.addStringValue("reason", revReason.toString()); + } else { + header.addStringValue("error", "Invalid revocation reason: "+reason); + } CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason); // Construct a CRL invalidity date extension. @@ -496,7 +502,8 @@ CMS.debug("**** mFormPath = "+mFormPath); rarg.addBigIntegerValue("serialNumber", cert.getSerialNumber(), 16); - if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { + if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) && + (revReason == null || revReason != RevocationReason.REMOVE_FROM_CRL)) { rarg.addStringValue("error", "Certificate " + cert.getSerialNumber().toString() + " is already revoked."); @@ -602,14 +609,20 @@ CMS.debug("**** mFormPath = "+mFormPath); X509CertImpl[] oldCerts = new X509CertImpl[count]; RevokedCertImpl[] revCertImpls = new RevokedCertImpl[count]; + BigInteger[] certSerialNumbers = new BigInteger[count]; for (int i = 0; i < count; i++) { oldCerts[i] = (X509CertImpl) oldCertsV.elementAt(i); revCertImpls[i] = (RevokedCertImpl) revCertImplsV.elementAt(i); + certSerialNumbers[i] = oldCerts[i].getSerialNumber(); } - IRequest revReq = - mQueue.newRequest(IRequest.REVOCATION_REQUEST); + IRequest revReq = null; + if (revReason != null && revReason == RevocationReason.REMOVE_FROM_CRL) { + revReq = mQueue.newRequest(IRequest.UNREVOCATION_REQUEST); + } else { + revReq = mQueue.newRequest(IRequest.REVOCATION_REQUEST); + } // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -622,13 +635,18 @@ CMS.debug("**** mFormPath = "+mFormPath); audit(auditMessage); - revReq.setExtData(IRequest.CERT_INFO, revCertImpls); - revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); revReq.setExtData(IRequest.REQUESTOR_TYPE, IRequest.REQUESTOR_AGENT); - revReq.setExtData(IRequest.REVOKED_REASON, reason); - revReq.setExtData(IRequest.OLD_CERTS, oldCerts); - if (comments != null) { - revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); + if (revReason != null && revReason == RevocationReason.REMOVE_FROM_CRL) { + revReq.setExtData(IRequest.REQ_TYPE, IRequest.UNREVOCATION_REQUEST); + revReq.setExtData(IRequest.OLD_SERIALS, certSerialNumbers); + } else { + revReq.setExtData(IRequest.CERT_INFO, revCertImpls); + revReq.setExtData(IRequest.REQ_TYPE, IRequest.REVOCATION_REQUEST); + revReq.setExtData(IRequest.REVOKED_REASON, reason); + revReq.setExtData(IRequest.OLD_CERTS, oldCerts); + if (comments != null) { + revReq.setExtData(IRequest.REQUESTOR_COMMENTS, comments); + } } // change audit processing from "REQUEST" to "REQUEST_PROCESSED" -- cgit