[Pki-devel] [PATCH] 65 Added cert revocation REST service.

[Endi Sukma Dewata]

I'm posting some new patches. Please apply in this order: 71, 65-2, 
66-2, 72.

On 6/27/2012 2:42 PM, Ade Lee wrote:
> 1. In revokeCert(), you should throw BadRequestException() or similar
> rather than EBaseException if the cert being revoked is the CA cert, or
> if the cert is already revoked.  That should show up as a 4XX error.

Fixed. I also added UnauthorizedException.

> 2. It looks like you do not handle nonces.  We need a task to figure out
> how to do this.

https://fedorahosted.org/pki/ticket/213

> 3. There is still a fair amount of logic that is in the legacy servlet
> and RESTful servlet.  I would suggest moving the logic that checks
> whether or not the cert should be revoked - ie. is already revoked, or
> ca cert already revoked or belongs to different subject or is a system
> cert to processor.addCertificateToRevoke() or some similar method.  You
> can use exceptions/ returns to populate rarg appropriately in the legacy
> servlet.

Some cert validation logic has been moved into 
validateCertificateToRevoke(). There is an authorization logic that I 
left in the servlet/REST service, it should be moved to Tomcat 
authentication later.

> 4. What happens if the request is pending or rejected -- ie. not
> completed.  How would the client know?  Should we be returning some kind
> of revocation status object?  Or the revocation request itself?

The REST methods now return the request objects which contain the 
request status. The CLI will check, if the status is complete it will 
show the cert info. Otherwise, it will show the request status.

-- 
Endi S. Dewata


-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0065-2-Added-cert-revocation-REST-service.patch
Type: text/x-patch
Size: 126331 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120706/cd61aa64/attachment.bin>