|
|
f8ded1 |
From d3f50c6a77b164cc876192ab95639ad913f33deb Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Christina Fu <cfu@redhat.com>
|
|
|
f8ded1 |
Date: Thu, 20 Jul 2017 17:50:38 -0700
|
|
|
f8ded1 |
Subject: [PATCH] Ticket #1665 (code realignment) Certificate Revocation
|
|
|
f8ded1 |
Reasons not being updated in some cases This patch makes sure that when a
|
|
|
f8ded1 |
token is temporarily lost (certs on_hold), its certs are properly revoked
|
|
|
f8ded1 |
when moving to other revocation reasons when marked damaged or permanently
|
|
|
f8ded1 |
lost. In addition, on the CA side, this patch to some degree mimics the
|
|
|
f8ded1 |
original request for transitions from SUPERSEDED to KEY_COMPROMISED, although
|
|
|
f8ded1 |
in the current TPS that is prohibited. Also, the original requested code
|
|
|
f8ded1 |
skipped over informing CRLIssuingPoints, while in this patch, that is not
|
|
|
f8ded1 |
skipped as the revocation reason has changed it should be updated; Time
|
|
|
f8ded1 |
stamp in the cert record is also updated, which is different from the
|
|
|
f8ded1 |
original requested code. Development tests were conducted on currently
|
|
|
f8ded1 |
allowed TPS token state transitions only.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Change-Id: I675ce13892a7c48eba42870a87954398d7dc8168
|
|
|
f8ded1 |
(cherry picked from commit 36213c8b614775feadfebef54db034e1155d33c7)
|
|
|
f8ded1 |
(cherry picked from commit 34aabcc5fb21f35d96f76fc5b822959f26aacf42)
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
base/ca/src/com/netscape/ca/CAService.java | 58 +++++++++++++++++--
|
|
|
f8ded1 |
.../netscape/certsrv/dbs/certdb/ICertRecord.java | 9 +++
|
|
|
f8ded1 |
.../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 51 +++++++++++++----
|
|
|
f8ded1 |
base/server/cmsbundle/src/LogMessages.properties | 2 +
|
|
|
f8ded1 |
base/server/cmsbundle/src/UserMessages.properties | 1 +
|
|
|
f8ded1 |
.../src/com/netscape/cmscore/dbs/CertRecord.java | 65 +++++++++++++++-------
|
|
|
f8ded1 |
.../cmscore/dbs/CertificateRepository.java | 32 ++++++-----
|
|
|
f8ded1 |
7 files changed, 166 insertions(+), 52 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
|
|
|
f8ded1 |
index c9eacfe..7cc6a31 100644
|
|
|
f8ded1 |
--- a/base/ca/src/com/netscape/ca/CAService.java
|
|
|
f8ded1 |
+++ b/base/ca/src/com/netscape/ca/CAService.java
|
|
|
f8ded1 |
@@ -980,8 +980,28 @@ public class CAService implements ICAService, IService {
|
|
|
f8ded1 |
BigInteger serialno = crlentry.getSerialNumber();
|
|
|
f8ded1 |
Date revdate = crlentry.getRevocationDate();
|
|
|
f8ded1 |
CRLExtensions crlentryexts = crlentry.getExtensions();
|
|
|
f8ded1 |
+ String msg = "";
|
|
|
f8ded1 |
|
|
|
f8ded1 |
CMS.debug("CAService.revokeCert: revokeCert begins");
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // Get the revocation reason
|
|
|
f8ded1 |
+ Enumeration enum1 = crlentryexts.getElements();
|
|
|
f8ded1 |
+ RevocationReason revReason = null;
|
|
|
f8ded1 |
+ while (enum1.hasMoreElements()) {
|
|
|
f8ded1 |
+ Extension ext = (Extension) enum1.nextElement();
|
|
|
f8ded1 |
+ if (ext instanceof CRLReasonExtension) {
|
|
|
f8ded1 |
+ revReason = ((CRLReasonExtension) ext).getReason();
|
|
|
f8ded1 |
+ break;
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ if (revReason == null) {
|
|
|
f8ded1 |
+ CMS.debug("CAService.revokeCert: missing revocation reason");
|
|
|
f8ded1 |
+ mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_MISSING_REV_REASON=", serialno.toString(16)));
|
|
|
f8ded1 |
+ throw new ECAException(
|
|
|
f8ded1 |
+ CMS.getUserMessage("CMS_CA_MISSING_REV_REASON",
|
|
|
f8ded1 |
+ "0x" + serialno.toString(16)));
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialno);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
if (certRec == null) {
|
|
|
f8ded1 |
@@ -995,24 +1015,52 @@ public class CAService implements ICAService, IService {
|
|
|
f8ded1 |
// allow revoking certs that are on hold.
|
|
|
f8ded1 |
String certStatus = certRec.getStatus();
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- if ((certStatus.equals(ICertRecord.STATUS_REVOKED) &&
|
|
|
f8ded1 |
- !certRec.isCertOnHold()) ||
|
|
|
f8ded1 |
+ RevocationReason recRevReason = null;
|
|
|
f8ded1 |
+ if (certStatus.equals(ICertRecord.STATUS_REVOKED)) {
|
|
|
f8ded1 |
+ try {
|
|
|
f8ded1 |
+ recRevReason = certRec.getRevReason();
|
|
|
f8ded1 |
+ } catch (Exception e) {
|
|
|
f8ded1 |
+ throw new EBaseException(e);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ if (recRevReason == null) {
|
|
|
f8ded1 |
+ msg = "existing revoked cert missing revocation reason";
|
|
|
f8ded1 |
+ CMS.debug("CAService.revokeCert: " + msg);
|
|
|
f8ded1 |
+ throw new EBaseException(msg);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // for cert already revoked, also check whether revocation reason is changed from SUPERSEDED to KEY_COMPROMISE
|
|
|
f8ded1 |
+ if (((certStatus.equals(ICertRecord.STATUS_REVOKED) &&
|
|
|
f8ded1 |
+ !certRec.isCertOnHold()) &&
|
|
|
f8ded1 |
+ ((recRevReason != RevocationReason.SUPERSEDED) ||
|
|
|
f8ded1 |
+ revReason != RevocationReason.KEY_COMPROMISE))
|
|
|
f8ded1 |
+ ||
|
|
|
f8ded1 |
certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) {
|
|
|
f8ded1 |
CMS.debug("CAService.revokeCert: cert already revoked:" +
|
|
|
f8ded1 |
serialno.toString());
|
|
|
f8ded1 |
throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_ALREADY_REVOKED",
|
|
|
f8ded1 |
"0x" + Long.toHexString(serialno.longValue())));
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
+ // if cert has already revoked, update the revocation info only
|
|
|
f8ded1 |
CMS.debug("CAService.revokeCert: about to call markAsRevoked");
|
|
|
f8ded1 |
- if (certRec.isCertOnHold()) {
|
|
|
f8ded1 |
+ if (certStatus.equals(ICertRecord.STATUS_REVOKED) && certRec.isCertOnHold()) {
|
|
|
f8ded1 |
mCA.getCertificateRepository().markAsRevoked(serialno,
|
|
|
f8ded1 |
- new RevocationInfo(revdate, crlentryexts), true /*isAlreadyOnHold*/);
|
|
|
f8ded1 |
+ new RevocationInfo(revdate, crlentryexts),
|
|
|
f8ded1 |
+ true /*isAlreadyRevoked*/);
|
|
|
f8ded1 |
+ CMS.debug("CAService.revokeCert: on_hold cert marked revoked");
|
|
|
f8ded1 |
+ mCA.log(ILogger.LL_INFO,
|
|
|
f8ded1 |
+ CMS.getLogMessage("CMSCORE_CA_CERT_REVO_INFO_UPDATE",
|
|
|
f8ded1 |
+ recRevReason.toString(),
|
|
|
f8ded1 |
+ revReason.toString(),
|
|
|
f8ded1 |
+ serialno.toString(16)));
|
|
|
f8ded1 |
} else {
|
|
|
f8ded1 |
mCA.getCertificateRepository().markAsRevoked(serialno,
|
|
|
f8ded1 |
new RevocationInfo(revdate, crlentryexts));
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
- CMS.debug("CAService.revokeCert: cert revoked");
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ CMS.debug("CAService.revokeCert: cert now revoked");
|
|
|
f8ded1 |
mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_REVOKED",
|
|
|
f8ded1 |
serialno.toString(16)));
|
|
|
f8ded1 |
// inform all CRLIssuingPoints about revoked certificate
|
|
|
f8ded1 |
diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
|
|
|
f8ded1 |
index 3a0c955..65db57e 100644
|
|
|
f8ded1 |
--- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
|
|
|
f8ded1 |
+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
|
|
|
f8ded1 |
@@ -20,6 +20,9 @@ package com.netscape.certsrv.dbs.certdb;
|
|
|
f8ded1 |
import java.math.BigInteger;
|
|
|
f8ded1 |
import java.util.Date;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+import com.netscape.certsrv.base.EBaseException;
|
|
|
f8ded1 |
+import netscape.security.x509.RevocationReason;
|
|
|
f8ded1 |
+import netscape.security.x509.X509ExtensionException;
|
|
|
f8ded1 |
import netscape.security.x509.X509CertImpl;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import com.netscape.certsrv.base.MetaInfo;
|
|
|
f8ded1 |
@@ -181,4 +184,10 @@ public interface ICertRecord extends IDBObj {
|
|
|
f8ded1 |
* is this cert on hold?
|
|
|
f8ded1 |
*/
|
|
|
f8ded1 |
public boolean isCertOnHold();
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ /**
|
|
|
f8ded1 |
+ * returns the revocation reason
|
|
|
f8ded1 |
+ */
|
|
|
f8ded1 |
+ public RevocationReason getRevReason()
|
|
|
f8ded1 |
+ throws EBaseException, X509ExtensionException;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
|
|
|
f8ded1 |
index a9a6238..47062f2 100644
|
|
|
f8ded1 |
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
|
|
|
f8ded1 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
|
|
|
f8ded1 |
@@ -1,4 +1,4 @@
|
|
|
f8ded1 |
-// --- BEGIN COPYRIGHT BLOCK ---
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
// This program is free software; you can redistribute it and/or modify
|
|
|
f8ded1 |
// it under the terms of the GNU General Public License as published by
|
|
|
f8ded1 |
// the Free Software Foundation; version 2 of the License.
|
|
|
f8ded1 |
@@ -330,8 +330,10 @@ public class DoRevokeTPS extends CMSServlet {
|
|
|
f8ded1 |
String auditRequestType = auditRequestType(reason);
|
|
|
f8ded1 |
RequestStatus auditApprovalStatus = null;
|
|
|
f8ded1 |
String auditReasonNum = String.valueOf(reason);
|
|
|
f8ded1 |
- String method = "DoRevokeTPS.process";
|
|
|
f8ded1 |
+ String method = "DoRevokeTPS.process:";
|
|
|
f8ded1 |
+ String msg = "";
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+ CMS.debug(method + "begins");
|
|
|
f8ded1 |
if (revokeAll != null) {
|
|
|
f8ded1 |
CMS.debug("DoRevokeTPS.process revokeAll" + revokeAll);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@@ -357,6 +359,8 @@ public class DoRevokeTPS extends CMSServlet {
|
|
|
f8ded1 |
Vector<RevokedCertImpl> revCertImplsV = new Vector<RevokedCertImpl>();
|
|
|
f8ded1 |
|
|
|
f8ded1 |
// Construct a CRL reason code extension.
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ CMS.debug(method + "reason code = " + reason);
|
|
|
f8ded1 |
RevocationReason revReason = RevocationReason.fromInt(reason);
|
|
|
f8ded1 |
CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@@ -401,22 +405,47 @@ public class DoRevokeTPS extends CMSServlet {
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
if (xcert != null) {
|
|
|
f8ded1 |
+ RevocationReason recRevReason = null;
|
|
|
f8ded1 |
+ if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) {
|
|
|
f8ded1 |
+ try {
|
|
|
f8ded1 |
+ recRevReason = rec.getRevReason();
|
|
|
f8ded1 |
+ } catch (Exception ex) {
|
|
|
f8ded1 |
+ CMS.debug(method + ex.toString());
|
|
|
f8ded1 |
+ throw new EBaseException(ex);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ if (recRevReason == null) {
|
|
|
f8ded1 |
+ msg = "existing revoked cert missing revocation reason";
|
|
|
f8ded1 |
+ CMS.debug(method + msg);
|
|
|
f8ded1 |
+ throw new EBaseException(msg);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
rarg.addStringValue("serialNumber",
|
|
|
f8ded1 |
xcert.getSerialNumber().toString(16));
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)
|
|
|
f8ded1 |
- && !rec.isCertOnHold()) {
|
|
|
f8ded1 |
- alreadyRevokedCertFound = true;
|
|
|
f8ded1 |
- CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) + " has already been revoked.");
|
|
|
f8ded1 |
- } else {
|
|
|
f8ded1 |
+ boolean updateRevocation = true;
|
|
|
f8ded1 |
+ if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED) &&
|
|
|
f8ded1 |
+ revReason == RevocationReason.KEY_COMPROMISE)) {
|
|
|
f8ded1 |
+ updateRevocation = false;
|
|
|
f8ded1 |
+ if ((recRevReason == RevocationReason.SUPERSEDED) ||
|
|
|
f8ded1 |
+ (rec.isCertOnHold())) {
|
|
|
f8ded1 |
+ updateRevocation = true;
|
|
|
f8ded1 |
+ CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16)
|
|
|
f8ded1 |
+ + " has been revoked, but reason is changed");
|
|
|
f8ded1 |
+ } else {
|
|
|
f8ded1 |
+ alreadyRevokedCertFound = true;
|
|
|
f8ded1 |
+ CMS.debug("Certificate 0x" + xcert.getSerialNumber().toString(16) + " has been revoked.");
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ if (updateRevocation) {
|
|
|
f8ded1 |
oldCertsV.addElement(xcert);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- RevokedCertImpl revCertImpl =
|
|
|
f8ded1 |
- new RevokedCertImpl(xcert.getSerialNumber(),
|
|
|
f8ded1 |
- CMS.getCurrentDate(), entryExtn);
|
|
|
f8ded1 |
+ RevokedCertImpl revCertImpl = new RevokedCertImpl(xcert.getSerialNumber(),
|
|
|
f8ded1 |
+ CMS.getCurrentDate(), entryExtn);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
revCertImplsV.addElement(revCertImpl);
|
|
|
f8ded1 |
- CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) + " is going to be revoked.");
|
|
|
f8ded1 |
+ CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16)
|
|
|
f8ded1 |
+ + " is going to be revoked.");
|
|
|
f8ded1 |
count++;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
} else {
|
|
|
f8ded1 |
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
|
|
|
f8ded1 |
index 5e51440..ff432b6 100644
|
|
|
f8ded1 |
--- a/base/server/cmsbundle/src/LogMessages.properties
|
|
|
f8ded1 |
+++ b/base/server/cmsbundle/src/LogMessages.properties
|
|
|
f8ded1 |
@@ -119,7 +119,9 @@ CMSCORE_CA_STORE_SERIAL=CA stored signed certificate serial number 0x{0}
|
|
|
f8ded1 |
CMSCORE_CA_MARK_SERIAL=CA marked certificate serial number 0x{0} as renewed with serial number 0x{1}
|
|
|
f8ded1 |
CMSCORE_CA_NO_STORE_SERIAL=Could not store certificate serial number 0x{0}
|
|
|
f8ded1 |
CMSCORE_CA_CERT_NOT_FOUND=Cannot find certificate serial number 0x{0}
|
|
|
f8ded1 |
+CMSCORE_CA_MISSING_REV_REASON=Missing revocation reason for revocation request on serial number 0x{0}
|
|
|
f8ded1 |
CMSCORE_CA_CERT_REVOKED=Revoked certificate serial number 0x{0}
|
|
|
f8ded1 |
+CMSCORE_CA_CERT_REVO_INFO_UPDATE=Revocation reason changed from {0} to {1} Certificate serial number 0x{2}
|
|
|
f8ded1 |
CMSCORE_CA_ERROR_REVOCATION=Error revoking certificate {0}. Error {1}
|
|
|
f8ded1 |
CMSCORE_CA_CERT_ON_HOLD=Certificate {0} has to be on-hold.
|
|
|
f8ded1 |
CMSCORE_CA_CERT_UNREVOKED=Unrevoked certificate serial number 0x{0}
|
|
|
f8ded1 |
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
|
|
|
f8ded1 |
index ed2a620..4d1b755 100644
|
|
|
f8ded1 |
--- a/base/server/cmsbundle/src/UserMessages.properties
|
|
|
f8ded1 |
+++ b/base/server/cmsbundle/src/UserMessages.properties
|
|
|
f8ded1 |
@@ -397,6 +397,7 @@ CMS_CA_CERT4CRL_FAILED=One or more revoked certificates could not be recorded by
|
|
|
f8ded1 |
CMS_CA_UNCERT4CRL_FAILED=One or more revoked certificates could not be removed by the CLA
|
|
|
f8ded1 |
CMS_CA_RENEW_FAILED=One or more certificates could not be renewed
|
|
|
f8ded1 |
CMS_CA_CANT_FIND_CERT_SERIAL=Cannot find certificate with serial number {0}
|
|
|
f8ded1 |
+CMS_CA_MISSING_REV_REASON=Missing revocation reason for revocatoin request on serial number {0}
|
|
|
f8ded1 |
CMS_CA_TOKEN_NOT_FOUND=Token {0} not found
|
|
|
f8ded1 |
CMS_CA_CERT_OBJECT_NOT_FOUND=Certificate object not found
|
|
|
f8ded1 |
CMS_CA_TOKEN_ERROR=Token Error
|
|
|
f8ded1 |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java
|
|
|
f8ded1 |
index a79f7a3..d4f3c03 100644
|
|
|
f8ded1 |
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java
|
|
|
f8ded1 |
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java
|
|
|
f8ded1 |
@@ -23,12 +23,6 @@ import java.util.Date;
|
|
|
f8ded1 |
import java.util.Enumeration;
|
|
|
f8ded1 |
import java.util.Vector;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
-import netscape.security.x509.CRLExtensions;
|
|
|
f8ded1 |
-import netscape.security.x509.CRLReasonExtension;
|
|
|
f8ded1 |
-import netscape.security.x509.RevocationReason;
|
|
|
f8ded1 |
-import netscape.security.x509.X509CertImpl;
|
|
|
f8ded1 |
-import netscape.security.x509.X509ExtensionException;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.EBaseException;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.MetaInfo;
|
|
|
f8ded1 |
@@ -37,6 +31,12 @@ import com.netscape.certsrv.dbs.IDBObj;
|
|
|
f8ded1 |
import com.netscape.certsrv.dbs.certdb.ICertRecord;
|
|
|
f8ded1 |
import com.netscape.certsrv.dbs.certdb.IRevocationInfo;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+import netscape.security.x509.CRLExtensions;
|
|
|
f8ded1 |
+import netscape.security.x509.CRLReasonExtension;
|
|
|
f8ded1 |
+import netscape.security.x509.RevocationReason;
|
|
|
f8ded1 |
+import netscape.security.x509.X509CertImpl;
|
|
|
f8ded1 |
+import netscape.security.x509.X509ExtensionException;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
/**
|
|
|
f8ded1 |
* A class represents a serializable certificate record.
|
|
|
f8ded1 |
*
|
|
|
f8ded1 |
@@ -274,27 +274,50 @@ public class CertRecord implements IDBObj, ICertRecord {
|
|
|
f8ded1 |
return mModifyTime;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+ /*
|
|
|
f8ded1 |
+ * getRevReason -
|
|
|
f8ded1 |
+ * @returns RevocationReason if cert is revoked; null if not
|
|
|
f8ded1 |
+ * it throws exceptions if anything failed
|
|
|
f8ded1 |
+ */
|
|
|
f8ded1 |
+ public RevocationReason getRevReason()
|
|
|
f8ded1 |
+ throws EBaseException, X509ExtensionException {
|
|
|
f8ded1 |
+ String method = "CertRecord.getRevReason:";
|
|
|
f8ded1 |
+ String msg = "";
|
|
|
f8ded1 |
+ //CMS.debug(method + " checking for cert serial: "
|
|
|
f8ded1 |
+ // + getSerialNumber().toString());
|
|
|
f8ded1 |
+ IRevocationInfo revInfo = getRevocationInfo();
|
|
|
f8ded1 |
+ if (revInfo == null) {
|
|
|
f8ded1 |
+ msg = "revInfo null for" + getSerialNumber().toString();
|
|
|
f8ded1 |
+ CMS.debug(method + msg);
|
|
|
f8ded1 |
+ return null;
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ CRLExtensions crlExts = revInfo.getCRLEntryExtensions();
|
|
|
f8ded1 |
+ if (crlExts == null)
|
|
|
f8ded1 |
+ throw new X509ExtensionException("crlExts null");
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ CRLReasonExtension reasonExt = null;
|
|
|
f8ded1 |
+ reasonExt = (CRLReasonExtension) crlExts.get(CRLReasonExtension.NAME);
|
|
|
f8ded1 |
+ if (reasonExt == null)
|
|
|
f8ded1 |
+ throw new EBaseException("reasonExt null");
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ return reasonExt.getReason();
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
public boolean isCertOnHold() {
|
|
|
f8ded1 |
String method = "CertRecord.isCertOnHold:";
|
|
|
f8ded1 |
CMS.debug(method + " checking for cert serial: "
|
|
|
f8ded1 |
- + getSerialNumber().toString());
|
|
|
f8ded1 |
- IRevocationInfo revInfo = getRevocationInfo();
|
|
|
f8ded1 |
- if (revInfo != null) {
|
|
|
f8ded1 |
- CRLExtensions crlExts = revInfo.getCRLEntryExtensions();
|
|
|
f8ded1 |
- if (crlExts == null) return false;
|
|
|
f8ded1 |
- CRLReasonExtension reasonExt = null;
|
|
|
f8ded1 |
- try {
|
|
|
f8ded1 |
- reasonExt = (CRLReasonExtension) crlExts.get(CRLReasonExtension.NAME);
|
|
|
f8ded1 |
- } catch (X509ExtensionException e) {
|
|
|
f8ded1 |
- CMS.debug(method + " returning false:" + e.toString());
|
|
|
f8ded1 |
- return false;
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- if (reasonExt.getReason() == RevocationReason.CERTIFICATE_HOLD) {
|
|
|
f8ded1 |
- CMS.debug(method + " returning true");
|
|
|
f8ded1 |
+ + getSerialNumber().toString());
|
|
|
f8ded1 |
+ try {
|
|
|
f8ded1 |
+ RevocationReason revReason = getRevReason();
|
|
|
f8ded1 |
+ if (revReason == RevocationReason.CERTIFICATE_HOLD) {
|
|
|
f8ded1 |
+ CMS.debug(method + "for " + getSerialNumber().toString() + " returning true");
|
|
|
f8ded1 |
return true;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
+ } catch (Exception e) {
|
|
|
f8ded1 |
+ CMS.debug(method + e);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
- CMS.debug(method + " returning false");
|
|
|
f8ded1 |
+ CMS.debug(method + "for " + getSerialNumber().toString() + " returning false");
|
|
|
f8ded1 |
return false;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
|
|
|
f8ded1 |
index 9a333fe..367917f 100644
|
|
|
f8ded1 |
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
|
|
|
f8ded1 |
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
|
|
|
f8ded1 |
@@ -1110,19 +1110,21 @@ public class CertificateRepository extends Repository
|
|
|
f8ded1 |
|
|
|
f8ded1 |
/**
|
|
|
f8ded1 |
* Marks certificate as revoked.
|
|
|
f8ded1 |
- * isAlreadyOnHold - boolean to indicate that the cert was revoked onHold
|
|
|
f8ded1 |
- * When a cert was originally onHold, some of the ldap attributes
|
|
|
f8ded1 |
- * already exist, so "MOD_REPLACE" is needed instead of "MOD_ADD"
|
|
|
f8ded1 |
+ * isAlreadyRevoked - boolean to indicate that the cert was revoked
|
|
|
f8ded1 |
+ * ( possibly onHold )
|
|
|
f8ded1 |
+ * When a cert was originally revoked (possibly onHold),
|
|
|
f8ded1 |
+ * some of the ldap attributes already exist,
|
|
|
f8ded1 |
+ * so "MOD_REPLACE" is needed instead of "MOD_ADD"
|
|
|
f8ded1 |
*/
|
|
|
f8ded1 |
public void markAsRevoked(BigInteger id, IRevocationInfo info)
|
|
|
f8ded1 |
throws EBaseException {
|
|
|
f8ded1 |
markAsRevoked(id, info, false);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
- public void markAsRevoked(BigInteger id, IRevocationInfo info, boolean isAlreadyOnHold)
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ public void markAsRevoked(BigInteger id, IRevocationInfo info, boolean isAlreadyRevoked)
|
|
|
f8ded1 |
throws EBaseException {
|
|
|
f8ded1 |
- String method = "CertificateRepository.markAsRevoked:";
|
|
|
f8ded1 |
ModificationSet mods = new ModificationSet();
|
|
|
f8ded1 |
- if (isAlreadyOnHold) {
|
|
|
f8ded1 |
+ if (isAlreadyRevoked) {
|
|
|
f8ded1 |
mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_REPLACE, info);
|
|
|
f8ded1 |
} else {
|
|
|
f8ded1 |
mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_ADD, info);
|
|
|
f8ded1 |
@@ -1134,30 +1136,30 @@ public class CertificateRepository extends Repository
|
|
|
f8ded1 |
* When already revoked onHold, the fields already existing in record
|
|
|
f8ded1 |
* can only be replaced instead of added
|
|
|
f8ded1 |
*/
|
|
|
f8ded1 |
- if (isAlreadyOnHold) {
|
|
|
f8ded1 |
+ if (isAlreadyRevoked) {
|
|
|
f8ded1 |
if (uid == null) {
|
|
|
f8ded1 |
mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_REPLACE,
|
|
|
f8ded1 |
- "system");
|
|
|
f8ded1 |
+ "system");
|
|
|
f8ded1 |
} else {
|
|
|
f8ded1 |
mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_REPLACE,
|
|
|
f8ded1 |
- uid);
|
|
|
f8ded1 |
+ uid);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
mods.add(CertRecord.ATTR_REVOKED_ON, Modification.MOD_REPLACE,
|
|
|
f8ded1 |
- CMS.getCurrentDate());
|
|
|
f8ded1 |
+ CMS.getCurrentDate());
|
|
|
f8ded1 |
} else {
|
|
|
f8ded1 |
if (uid == null) {
|
|
|
f8ded1 |
mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_ADD,
|
|
|
f8ded1 |
- "system");
|
|
|
f8ded1 |
+ "system");
|
|
|
f8ded1 |
} else {
|
|
|
f8ded1 |
mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_ADD,
|
|
|
f8ded1 |
- uid);
|
|
|
f8ded1 |
+ uid);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
mods.add(CertRecord.ATTR_REVOKED_ON, Modification.MOD_ADD,
|
|
|
f8ded1 |
- CMS.getCurrentDate());
|
|
|
f8ded1 |
+ CMS.getCurrentDate());
|
|
|
f8ded1 |
+ mods.add(CertRecord.ATTR_CERT_STATUS, Modification.MOD_REPLACE,
|
|
|
f8ded1 |
+ CertRecord.STATUS_REVOKED);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- mods.add(CertRecord.ATTR_CERT_STATUS, Modification.MOD_REPLACE,
|
|
|
f8ded1 |
- CertRecord.STATUS_REVOKED);
|
|
|
f8ded1 |
modifyCertificateRecord(id, mods);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|