This patch fixes an additional issue in ticket:
https://fedorahosted.org/pki/ticket/1527
where after proper revocation ca discovery, the revokeCertificate ends
up using the default (original) ca instead.
Christina
>From 3b93a22c4ffa6e5e16cfd5c8ec02348c58b78422 Mon Sep 17 00:00:00 2001
From: Christina Fu <c...@dhcp-16-189.sjc.redhat.com>
Date: Mon, 3 Oct 2016 17:02:10 -0700
Subject: [PATCH] Ticket #1527 TPS Enrollment always goes to "ca1" (bug fix)
This patch fixes the bug that after revocation ca discovery, the
revokeCertificate call goes back to the default ca, the ca that the
certificate is to be enrollmed with; This causes problem when the revocation
ca is a different ca.
---
.../server/tps/cms/CARemoteRequestHandler.java | 48 +++++++++++++++++-----
1 file changed, 38 insertions(+), 10 deletions(-)
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
index 8eafa36a587bc05783cd9962416b207c7065eddc..35a82d5ec6d45cfd2f823815f54385ce65838bc6 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
@@ -513,7 +513,21 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
String serialno,
RevocationReason reason)
throws EBaseException {
+ return revokeCertificate(null, serialno, reason);
+ }
+ private CARevokeCertResponse revokeCertificate(
+ String caConn,
+ String serialno,
+ RevocationReason reason)
+ throws EBaseException {
+ String revCAid = connid;
+ if (caConn != null) {
+ CMS.debug("CARemoteRequestHandler: revokeCertificate(): passed in ca ID: " + caConn);
+ revCAid = caConn;
+ } else {
+ CMS.debug("CARemoteRequestHandler: revokeCertificate(): using default ca ID:" + connid);
+ }
CMS.debug("CARemoteRequestHandler: revokeCertificate(): begins on serial#:" + serialno);
if (serialno == null || reason == null) {
throw new EBaseException("CARemoteRequestHandler: revokeCertificate(): input parameter null.");
@@ -524,9 +538,9 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
TPSSubsystem subsystem =
(TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
HttpConnector conn =
- (HttpConnector) subsystem.getConnectionManager().getConnector(connid);
+ (HttpConnector) subsystem.getConnectionManager().getConnector(revCAid);
if (conn == null) {
- throw new EBaseException("CARemoteRequestHandler: revokeCertificate() to connid: " + connid + ": HttpConnector conn null.");
+ throw new EBaseException("CARemoteRequestHandler: revokeCertificate() to connid: " + revCAid + ": HttpConnector conn null.");
}
CMS.debug("CARemoteRequestHandler: revokeCertificate(): sending request to CA");
HttpResponse resp =
@@ -537,7 +551,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
IRemoteRequest.CA_REVOKE_SERIAL + "=" + serialno + ")&" +
IRemoteRequest.CA_REVOKE_COUNT + "=1");
if (resp == null) {
- throw new EBaseException("CARemoteRequestHandler: revokeCertificate() to connid: " + connid + ": response null.");
+ throw new EBaseException("CARemoteRequestHandler: revokeCertificate() to connid: " + revCAid + ": response null.");
}
String content = resp.getContent();
@@ -570,7 +584,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
response.put(IRemoteRequest.RESPONSE_STATUS, ist);
CMS.debug("CARemoteRequestHandler: revokeCertificate(): ends.");
- return new CARevokeCertResponse(connid, response);
+ return new CARevokeCertResponse(revCAid, response);
} else {
CMS.debug("CARemoteRequestHandler: revokeCertificate(): no response content.");
throw new EBaseException("CARemoteRequestHandler: revokeCertificate(): no response content.");
@@ -588,7 +602,20 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
private CARevokeCertResponse unrevokeCertificate(
String serialno)
throws EBaseException {
+ return unrevokeCertificate(null, serialno);
+ }
+ private CARevokeCertResponse unrevokeCertificate(
+ String caConn,
+ String serialno)
+ throws EBaseException {
+ String unrevCAid = connid;
+ if (caConn != null) {
+ CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): passed in ca ID: " + caConn);
+ unrevCAid = caConn;
+ } else {
+ CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): using default ca ID:" + connid);
+ }
CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): begins on serial#:" + serialno);
if (serialno == null) {
throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate(): input parameter null.");
@@ -597,16 +624,16 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
TPSSubsystem subsystem =
(TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
HttpConnector conn =
- (HttpConnector) subsystem.getConnectionManager().getConnector(connid);
+ (HttpConnector) subsystem.getConnectionManager().getConnector(unrevCAid);
if (conn == null) {
- throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate() to connid: " + connid + ": HttpConnector conn null.");
+ throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate() to connid: " + unrevCAid + ": HttpConnector conn null.");
}
CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): sending request to CA");
HttpResponse resp =
conn.send("unrevoke",
IRemoteRequest.CA_UNREVOKE_SERIAL + "=" + serialno);
if (resp == null) {
- throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate() to connid: " + connid + ": response null.");
+ throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate() to connid: " + unrevCAid + ": response null.");
}
String content = resp.getContent();
@@ -639,7 +666,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
response.put(IRemoteRequest.RESPONSE_STATUS, ist);
CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): ends.");
- return new CARevokeCertResponse(connid, response);
+ return new CARevokeCertResponse(unrevCAid, response);
} else {
CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): no response content.");
throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate(): no response content.");
@@ -693,14 +720,15 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
Exception exception = null;
for (String ca : caList) {
+ CMS.debug("CARemoteRequestHandler: revokeFromOtherCA: processing caList: ca id:" + ca);
try {
String caSkiString = getCaSki(ca);
if (certAkiString.equals(caSkiString)) {
CMS.debug("CARemoteRequestHandler: revokeFromOtherCA() cert AKI and caCert SKI matched");
if (revoke) {
- return revokeCertificate(serialno, reason);
+ return revokeCertificate(ca, serialno, reason);
} else {
- return unrevokeCertificate(serialno);
+ return unrevokeCertificate(ca, serialno);
}
} else { // not a match then iterate to next ca in list
CMS.debug("CARemoteRequestHandler: revokeFromOtherCA() cert AKI and caCert SKI not matched");
--
2.7.4
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
