[Pki-devel] [PATCH] 627 Fixed default cert-find filter.
Endi Sukma Dewata
edewata at redhat.com
Mon Jul 6 18:15:14 UTC 2015
To improve the performance the default LDAP filter generated by
cert-find has been changed to (certStatus=*) to match an existing
VLV index.
https://fedorahosted.org/pki/ticket/1449
--
Endi S. Dewata
-------------- next part --------------
From 1333b5ffcd7454b43c99bc244a6bf7ab777aaf3b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Mon, 6 Jul 2015 13:31:22 -0400
Subject: [PATCH] Fixed default cert-find filter.
To improve the performance the default LDAP filter generated by
cert-find has been changed to (certStatus=*) to match an existing
VLV index.
https://fedorahosted.org/pki/ticket/1449
---
.../org/dogtagpki/server/ca/rest/CertService.java | 16 +-
.../com/netscape/cmstools/cert/CertFindCLI.java | 1 -
.../netscape/cms/servlet/cert/FilterBuilder.java | 244 +++++++++++----------
3 files changed, 134 insertions(+), 127 deletions(-)
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
index ee974d446b689b089221bbaf2c7b6a5780c2f6bb..e43909bbb59837064711447c5e1733a3ca70970c 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
@@ -367,15 +367,13 @@ public class CertService extends PKIService implements CertResource {
}
private String createSearchFilter(String status) {
- String filter = "";
+ String filter;
- if ((status == null)) {
- filter = "(serialno=*)";
- return filter;
- }
+ if (status == null) {
+ filter = "(certstatus=*)"; // allCerts VLV
- if (status != null) {
- filter += "(certStatus=" + LDAPUtil.escapeFilter(status) + ")";
+ } else {
+ filter = "(certStatus=" + LDAPUtil.escapeFilter(status) + ")";
}
return filter;
@@ -398,7 +396,7 @@ public class CertService extends PKIService implements CertResource {
size = size == null ? DEFAULT_SIZE : size;
String filter = createSearchFilter(status);
- CMS.debug("listCerts: filter is " + filter);
+ CMS.debug("CertService.listCerts: filter: " + filter);
CertDataInfos infos = new CertDataInfos();
try {
@@ -450,7 +448,9 @@ public class CertService extends PKIService implements CertResource {
start = start == null ? 0 : start;
size = size == null ? DEFAULT_SIZE : size;
+
String filter = createSearchFilter(data);
+ CMS.debug("CertService.searchCerts: filter: " + filter);
CertDataInfos infos = new CertDataInfos();
try {
diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java
index 8c7a4df14c12985611b6f50f37a2c59671ad9fd1..cb2d80ef35446dcd5714f0b6957ab194d3bf6da2 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java
@@ -254,7 +254,6 @@ public class CertFindCLI extends CLI {
} else {
searchData = new CertSearchRequest();
- searchData.setSerialNumberRangeInUse(true);
}
String s = cmd.getOptionValue("start");
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java b/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java
index 5c337afeebe90d768df4cf47d1dd20adb3ed6006..be44c47b5f7979b5a2bd35254ce65b27409e8af0 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java
@@ -18,7 +18,9 @@
package com.netscape.cms.servlet.cert;
+import java.util.ArrayList;
import java.util.Calendar;
+import java.util.List;
import java.util.StringTokenizer;
import com.netscape.certsrv.cert.CertSearchRequest;
@@ -30,210 +32,214 @@ import com.netscape.cmsutil.ldap.LDAPUtil;
*
*/
public class FilterBuilder {
- private final static String MATCH_EXACTLY = "exact";
- private String searchFilter = null;
- private CertSearchRequest request = null;
+
+ private List<String> filters = new ArrayList<String>();
+ private CertSearchRequest request;
public FilterBuilder(CertSearchRequest request) {
this.request = request;
}
public String buildFilter() {
- StringBuffer filter = new StringBuffer();
- buildSerialNumberRangeFilter(filter);
- buildSubjectFilter(filter);
- buildStatusFilter(filter);
- buildRevokedByFilter(filter);
- buildRevokedOnFilter(filter);
- buildRevocationReasonFilter(filter);
- buildIssuedByFilter(filter);
- buildIssuedOnFilter(filter);
- buildValidNotBeforeFilter(filter);
- buildValidNotAfterFilter(filter);
- buildValidityLengthFilter(filter);
- buildCertTypeFilter(filter);
- searchFilter = filter.toString();
+ buildSerialNumberRangeFilter();
+ buildSubjectFilter();
+ buildStatusFilter();
+ buildRevokedByFilter();
+ buildRevokedOnFilter();
+ buildRevocationReasonFilter();
+ buildIssuedByFilter();
+ buildIssuedOnFilter();
+ buildValidNotBeforeFilter();
+ buildValidNotAfterFilter();
+ buildValidityLengthFilter();
+ buildCertTypeFilter();
- if (searchFilter != null && !searchFilter.equals("")) {
- searchFilter = "(&" + searchFilter + ")";
+ if (filters.size() == 0) {
+ return "(certstatus=*)"; // allCerts VLV
+
+ } else if (filters.size() == 1) {
+ return filters.get(0);
+
+ } else {
+ StringBuilder sb = new StringBuilder();
+ for (String filter : filters) {
+ sb.append(filter);
+ }
+ return "(&" + sb + ")";
}
-
- return searchFilter;
}
- private void buildSerialNumberRangeFilter(StringBuffer filter) {
+ private void buildSerialNumberRangeFilter() {
- if (!request.getSerialNumberRangeInUse()) {
- return;
- }
- boolean changed = false;
String serialFrom = request.getSerialFrom();
if (serialFrom != null && !serialFrom.equals("")) {
- filter.append("(certRecordId>=" + LDAPUtil.escapeFilter(serialFrom) + ")");
- changed = true;
+ filters.add("(certRecordId>=" + LDAPUtil.escapeFilter(serialFrom) + ")");
}
+
String serialTo = request.getSerialTo();
if (serialTo != null && !serialTo.equals("")) {
- filter.append("(certRecordId<=" + LDAPUtil.escapeFilter(serialTo) + ")");
- changed = true;
+ filters.add("(certRecordId<=" + LDAPUtil.escapeFilter(serialTo) + ")");
}
- if (!changed) {
- filter.append("(certRecordId=*)");
- }
-
}
- private void buildSubjectFilter(StringBuffer filter) {
+ private void buildSubjectFilter() {
+
if (!request.getSubjectInUse()) {
return;
}
+
StringBuffer lf = new StringBuffer();
-
- String matchStr = null;
boolean match = request.getMatchExactly();
- if (match == true) {
- matchStr = MATCH_EXACTLY;
- }
-
- buildAVAFilter(request.getEmail(), "E", lf, matchStr);
- buildAVAFilter(request.getCommonName(), "CN", lf, matchStr);
- buildAVAFilter(request.getUserID(), "UID", lf, matchStr);
- buildAVAFilter(request.getOrgUnit(), "OU", lf, matchStr);
- buildAVAFilter(request.getOrg(), "O", lf, matchStr);
- buildAVAFilter(request.getLocality(), "L", lf, matchStr);
- buildAVAFilter(request.getState(), "ST", lf, matchStr);
- buildAVAFilter(request.getCountry(), "C", lf, matchStr);
+ buildAVAFilter(request.getEmail(), "E", lf, match);
+ buildAVAFilter(request.getCommonName(), "CN", lf, match);
+ buildAVAFilter(request.getUserID(), "UID", lf, match);
+ buildAVAFilter(request.getOrgUnit(), "OU", lf, match);
+ buildAVAFilter(request.getOrg(), "O", lf, match);
+ buildAVAFilter(request.getLocality(), "L", lf, match);
+ buildAVAFilter(request.getState(), "ST", lf, match);
+ buildAVAFilter(request.getCountry(), "C", lf, match);
if (lf.length() == 0) {
- filter.append("("+ICertRecord.ATTR_X509CERT_SUBJECT+"=*)");
- return;
- }
- if (matchStr != null && matchStr.equals(MATCH_EXACTLY)) {
- filter.append("(&");
- filter.append(lf);
- filter.append(")");
+ filters.add("(" + ICertRecord.ATTR_X509CERT_SUBJECT + "=*)");
+
+ } else if (match) {
+ filters.add("(&" + lf + ")");
+
} else {
- filter.append("(|");
- filter.append(lf);
- filter.append(")");
+ filters.add("(|" + lf + ")");
}
}
- private void buildStatusFilter(StringBuffer filter) {
+ private void buildStatusFilter() {
+
String status = request.getStatus();
if (status == null || status.equals("")) {
return;
}
- filter.append("(certStatus=");
- filter.append(LDAPUtil.escapeFilter(status));
- filter.append(")");
+
+ filters.add("(certStatus=" + LDAPUtil.escapeFilter(status) + ")");
}
- private void buildRevokedByFilter(StringBuffer filter) {
+ private void buildRevokedByFilter() {
+
if (!request.getRevokedByInUse()) {
return;
}
String revokedBy = request.getRevokedBy();
if (revokedBy == null || revokedBy.equals("")) {
- filter.append("(certRevokedBy=*)");
+ filters.add("(certRevokedBy=*)");
+
} else {
- filter.append("(certRevokedBy=");
- filter.append(LDAPUtil.escapeFilter(revokedBy));
- filter.append(")");
+ filters.add("(certRevokedBy=" + LDAPUtil.escapeFilter(revokedBy) + ")");
}
}
private void buildDateFilter(String prefix,
- String outStr, long adjustment,
- StringBuffer filter) {
+ String outStr, long adjustment) {
+
if (prefix == null || prefix.length() == 0) return;
+
long epoch = Long.parseLong(prefix);
Calendar from = Calendar.getInstance();
from.setTimeInMillis(epoch);
+
+ StringBuilder filter = new StringBuilder();
filter.append("(");
filter.append(LDAPUtil.escapeFilter(outStr));
filter.append(Long.toString(from.getTimeInMillis() + adjustment));
filter.append(")");
+
+ filters.add(filter.toString());
}
- private void buildRevokedOnFilter(StringBuffer filter) {
+ private void buildRevokedOnFilter() {
+
if (!request.getRevokedOnInUse()) {
return;
}
- buildDateFilter(request.getRevokedOnFrom(), "certRevokedOn>=", 0, filter);
- buildDateFilter(request.getRevokedOnTo(), "certRevokedOn<=", 86399999, filter);
+
+ buildDateFilter(request.getRevokedOnFrom(), "certRevokedOn>=", 0);
+ buildDateFilter(request.getRevokedOnTo(), "certRevokedOn<=", 86399999);
}
- private void buildRevocationReasonFilter(StringBuffer filter) {
+ private void buildRevocationReasonFilter() {
+
if (!request.getRevocationReasonInUse()) {
return;
}
+
String reasons = request.getRevocationReason();
if (reasons == null) {
return;
}
- String queryCertFilter = null;
+
+ StringBuilder filter = new StringBuilder();
StringTokenizer st = new StringTokenizer(reasons, ",");
int count = st.countTokens();
if (st.hasMoreTokens()) {
- if (count >=2) filter.append("(|");
+ if (count >= 2) filter.append("(|");
while (st.hasMoreTokens()) {
String token = st.nextToken();
- if (queryCertFilter == null) {
- queryCertFilter = "";
- }
filter.append("(x509cert.certRevoInfo=");
filter.append(LDAPUtil.escapeFilter(token));
filter.append(")");
}
if (count >= 2) filter.append(")");
}
+
+ filters.add(filter.toString());
}
- private void buildIssuedByFilter(StringBuffer filter) {
+ private void buildIssuedByFilter() {
+
if (!request.getIssuedByInUse()) {
return;
}
+
String issuedBy = request.getIssuedBy();
if (issuedBy == null || issuedBy.equals("")) {
- filter.append("(certIssuedBy=*)");
+ filters.add("(certIssuedBy=*)");
} else {
- filter.append("(certIssuedBy=");
- filter.append(LDAPUtil.escapeFilter(issuedBy));
- filter.append(")");
+ filters.add("(certIssuedBy=" + LDAPUtil.escapeFilter(issuedBy) + ")");
}
}
- private void buildIssuedOnFilter(StringBuffer filter) {
+ private void buildIssuedOnFilter() {
+
if (!request.getIssuedOnInUse()) {
return;
}
- buildDateFilter(request.getIssuedOnFrom(), "certCreateTime>=", 0, filter);
- buildDateFilter(request.getIssuedOnTo(), "certCreateTime<=", 86399999, filter);
+
+ buildDateFilter(request.getIssuedOnFrom(), "certCreateTime>=", 0);
+ buildDateFilter(request.getIssuedOnTo(), "certCreateTime<=", 86399999);
}
- private void buildValidNotBeforeFilter(StringBuffer filter) {
+ private void buildValidNotBeforeFilter() {
+
if (!request.getValidNotBeforeInUse()) {
return;
}
- buildDateFilter(request.getValidNotBeforeFrom(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+">=", 0, filter);
- buildDateFilter(request.getValidNotBeforeTo(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+"<=", 86399999, filter);
+
+ buildDateFilter(request.getValidNotBeforeFrom(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+">=", 0);
+ buildDateFilter(request.getValidNotBeforeTo(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+"<=", 86399999);
}
- private void buildValidNotAfterFilter(StringBuffer filter) {
+ private void buildValidNotAfterFilter() {
+
if (!request.getValidNotAfterInUse()) {
return;
}
- buildDateFilter(request.getValidNotAfterFrom(), ICertRecord.ATTR_X509CERT_NOT_AFTER+">=", 0, filter);
- buildDateFilter(request.getValidNotAfterTo(), ICertRecord.ATTR_X509CERT_NOT_AFTER+"<=", 86399999, filter);
+
+ buildDateFilter(request.getValidNotAfterFrom(), ICertRecord.ATTR_X509CERT_NOT_AFTER+">=", 0);
+ buildDateFilter(request.getValidNotAfterTo(), ICertRecord.ATTR_X509CERT_NOT_AFTER+"<=", 86399999);
}
- private void buildValidityLengthFilter(StringBuffer filter) {
+ private void buildValidityLengthFilter() {
if (!request.getValidityLengthInUse()) {
return;
}
@@ -242,70 +248,72 @@ public class FilterBuilder {
Integer count = request.getValidityCount();
Long unit = request.getValidityUnit();
+ StringBuilder filter = new StringBuilder();
filter.append("(");
filter.append(ICertRecord.ATTR_X509CERT_DURATION);
filter.append(LDAPUtil.escapeFilter(op));
filter.append(count * unit);
filter.append(")");
+
+ filters.add(filter.toString());
}
- private void buildCertTypeFilter(StringBuffer filter) {
+ private void buildCertTypeFilter() {
+
if (!request.getCertTypeInUse()) {
return;
}
+
if (isOn(request.getCertTypeSSLClient())) {
- filter.append("(x509cert.nsExtension.SSLClient=on)");
+ filters.add("(x509cert.nsExtension.SSLClient=on)");
} else if (isOff(request.getCertTypeSSLClient())) {
- filter.append("(x509cert.nsExtension.SSLClient=off)");
+ filters.add("(x509cert.nsExtension.SSLClient=off)");
}
+
if (isOn(request.getCertTypeSSLServer())) {
- filter.append("(x509cert.nsExtension.SSLServer=on)");
+ filters.add("(x509cert.nsExtension.SSLServer=on)");
} else if (isOff(request.getCertTypeSSLServer())) {
- filter.append("(x509cert.nsExtension.SSLServer=off)");
+ filters.add("(x509cert.nsExtension.SSLServer=off)");
}
+
if (isOn(request.getCertTypeSecureEmail())) {
- filter.append("(x509cert.nsExtension.SecureEmail=on)");
+ filters.add("(x509cert.nsExtension.SecureEmail=on)");
} else if (isOff(request.getCertTypeSecureEmail())) {
- filter.append("(x509cert.nsExtension.SecureEmail=off)");
+ filters.add("(x509cert.nsExtension.SecureEmail=off)");
}
+
if (isOn(request.getCertTypeSubSSLCA())) {
- filter.append("(x509cert.nsExtension.SubordinateSSLCA=on)");
+ filters.add("(x509cert.nsExtension.SubordinateSSLCA=on)");
} else if (isOff(request.getCertTypeSubSSLCA())) {
- filter.append("(x509cert.nsExtension.SubordinateSSLCA=off)");
+ filters.add("(x509cert.nsExtension.SubordinateSSLCA=off)");
}
+
if (isOn(request.getCertTypeSubEmailCA())) {
- filter.append("(x509cert.nsExtension.SubordinateEmailCA=on)");
+ filters.add("(x509cert.nsExtension.SubordinateEmailCA=on)");
} else if (isOff(request.getCertTypeSubEmailCA())) {
- filter.append("(x509cert.nsExtension.SubordinateEmailCA=off)");
+ filters.add("(x509cert.nsExtension.SubordinateEmailCA=off)");
}
}
private boolean isOn(String value) {
- String inUse = value;
- if (inUse == null) {
- return false;
- }
- if (inUse.equals("on")) {
+ if (value != null && value.equals("on")) {
return true;
}
return false;
}
private boolean isOff(String value) {
- String inUse = value;
- if (inUse == null) {
- return false;
- }
- if (inUse.equals("off")) {
+ if (value != null && value.equals("off")) {
return true;
}
return false;
}
private void buildAVAFilter(String param,
- String avaName, StringBuffer lf, String match) {
+ String avaName, StringBuffer lf, boolean match) {
+
if (param != null && !param.equals("")) {
- if (match != null && match.equals(MATCH_EXACTLY)) {
+ if (match) {
lf.append("(|");
lf.append("("+ICertRecord.ATTR_X509CERT_SUBJECT+"=*");
lf.append(avaName);
@@ -318,6 +326,7 @@ public class FilterBuilder {
lf.append(LDAPUtil.escapeFilter(LDAPUtil.escapeRDNValue(param)));
lf.append(")");
lf.append(")");
+
} else {
lf.append("("+ICertRecord.ATTR_X509CERT_SUBJECT+"=*");
lf.append(avaName);
@@ -327,6 +336,5 @@ public class FilterBuilder {
lf.append("*)");
}
}
-
}
}
--
1.9.3
More information about the Pki-devel
mailing list