[Pki-devel] [PATCH] 0037 Store issuser DN in certificate records
Fraser Tweedale
ftweedal at redhat.com
Thu Jun 11 14:24:00 UTC 2015
This patch causes Issuer DN to be stored in certificate records
using existing (unused) 'issuerName' attribute schema.
This will allow me to change sub-CAs implementation to a shared
certificate repo which means I don't have to worry about range
management anymore :) But I think it is a sensible change in its
own right.
UI / CLI filters for issuer can come later - there's a TODO for that
on my tracking etherpad[1] and I will file a ticket later.
[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
Cheers,
Fraser
-------------- next part --------------
From 40b4c6f4836500987a9855ccc8bdc1eb6d7d8f73 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 11 Jun 2015 08:22:36 -0400
Subject: [PATCH] Store issuser DN in certificate records
Lightweight CAs mean that we may wish to filter certificates based
on the issuer. Update X509CertImplMapper to store the issuer DN in
each certificate record, using exiting schema.
---
base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java | 7 +++++--
base/server/cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java | 1 +
.../cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java | 5 +++++
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
index 76101d9b735eb44030013999af82df4c6d6b8370..23f4e07d43bffd51e41a75d0939e5ad807400f9d 100644
--- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
@@ -69,6 +69,7 @@ public interface ICertRecord extends IDBObj {
public final static String X509CERT_DURATION = "duration";
public final static String X509CERT_EXTENSION = "extension";
public final static String X509CERT_SUBJECT = "subject";
+ public final static String X509CERT_ISSUER = "issuer";
public final static String X509CERT_PUBLIC_KEY_DATA = "publicKeyData";
public final static String X509CERT_VERSION = "version";
public final static String X509CERT_ALGORITHM = "algorithm";
@@ -86,6 +87,8 @@ public interface ICertRecord extends IDBObj {
ATTR_X509CERT + "." + X509CERT_EXTENSION;
public final static String ATTR_X509CERT_SUBJECT =
ATTR_X509CERT + "." + X509CERT_SUBJECT;
+ public final static String ATTR_X509CERT_ISSUER =
+ ATTR_X509CERT + "." + X509CERT_ISSUER;
public final static String ATTR_X509CERT_VERSION =
ATTR_X509CERT + "." + X509CERT_VERSION;
public final static String ATTR_X509CERT_ALGORITHM =
@@ -119,9 +122,9 @@ public interface ICertRecord extends IDBObj {
public X509CertImpl getCertificate();
/**
- * Retrieves name of who issued this certificate.
+ * Retrieves name of which user issued this certificate.
*
- * @return name of who issued this certificate
+ * @return name of which user issued this certificate
*/
public String getIssuedBy();
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java
index 916e83a8a207b84692e52ee8d4b7093b4e4b9634..ec1de1ca8426f1df146eca4935e137e8cd4e5cf0 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java
@@ -42,6 +42,7 @@ public class CertDBSchema {
public static final String LDAP_ATTR_VERSION = "version";
public static final String LDAP_ATTR_DURATION = "duration";
public static final String LDAP_ATTR_SUBJECT = "subjectName";
+ public static final String LDAP_ATTR_ISSUER = "issuerName";
public static final String LDAP_ATTR_ALGORITHM = "algorithmId";
public static final String LDAP_ATTR_SIGNING_ALGORITHM = "signingAlgorithmId";
public static final String LDAP_ATTR_REVO_INFO = "revInfo";
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java
index ef8577747e2d4eefb14430ce32cf32819ca88b11..d67f8e5df366a472f21b684ba3dd873be55d3333 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java
@@ -61,6 +61,7 @@ public class X509CertImplMapper implements IDBAttrMapper {
v.addElement(CertDBSchema.LDAP_ATTR_DURATION);
v.addElement(CertDBSchema.LDAP_ATTR_EXTENSION);
v.addElement(CertDBSchema.LDAP_ATTR_SUBJECT);
+ v.addElement(CertDBSchema.LDAP_ATTR_ISSUER);
v.addElement(CertDBSchema.LDAP_ATTR_SIGNED_CERT);
v.addElement(CertDBSchema.LDAP_ATTR_VERSION);
v.addElement(CertDBSchema.LDAP_ATTR_ALGORITHM);
@@ -90,6 +91,8 @@ public class X509CertImplMapper implements IDBAttrMapper {
DBSUtil.longToDB(notAfter.getTime() - notBefore.getTime())));
attrs.add(new LDAPAttribute(CertDBSchema.LDAP_ATTR_SUBJECT,
cert.getSubjectDN().getName()));
+ attrs.add(new LDAPAttribute(CertDBSchema.LDAP_ATTR_ISSUER,
+ cert.getIssuerDN().getName()));
attrs.add(new LDAPAttribute(CertDBSchema.LDAP_ATTR_PUBLIC_KEY_DATA, cert.getPublicKey().getEncoded()));
// make extension searchable
Set<String> nonCritSet = cert.getNonCriticalExtensionOIDs();
@@ -300,6 +303,8 @@ public class X509CertImplMapper implements IDBAttrMapper {
}
} else if (suffix.equalsIgnoreCase(ICertRecord.X509CERT_SUBJECT)) {
name = CertDBSchema.LDAP_ATTR_SUBJECT;
+ } else if (suffix.equalsIgnoreCase(ICertRecord.X509CERT_ISSUER)) {
+ name = CertDBSchema.LDAP_ATTR_ISSUER;
} else if (suffix.equalsIgnoreCase(ICertRecord.X509CERT_PUBLIC_KEY_DATA)) {
name = CertDBSchema.LDAP_ATTR_PUBLIC_KEY_DATA;
} else if (suffix.equalsIgnoreCase(ICertRecord.X509CERT_DURATION)) {
--
2.1.0
More information about the Pki-devel
mailing list