[Pki-devel] [PATCH] 0050 Lightweight CAs: ensure disabled CA cannot create sub-CA
Fraser Tweedale
ftweedal at redhat.com
Thu Oct 1 03:53:33 UTC 2015
The attached patch (which replaces an earlier patch 0050) fixes
https://fedorahosted.org/pki/ticket/1628.
Cheers,
Fraser
-------------- next part --------------
From 4af96699cd1a99e98b31199b2659abfaf6954a9f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 30 Sep 2015 23:46:36 -0400
Subject: [PATCH] Lightweight CAs: ensure disabled CA cannot create sub-CAs
Fixes: https://fedorahosted.org/pki/ticket/1628
---
base/ca/src/com/netscape/ca/CertificateAuthority.java | 3 +++
base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java | 3 ++-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index b3663ed1d497d03651ad1fa753b4e23ae4aea6b0..d5523c14cc0132422c971b840324bd95bfa1fda9 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2405,6 +2405,9 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
String subjectDN, String description)
throws EBaseException {
+ if (!authorityEnabled)
+ throw new CADisabledException("Parent CA is disabled");
+
// check requested DN
X500Name subjectX500Name = null;
try {
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 820f8ab6499eed9fdb8e3d8d782df64c71ad1fc3..2aa0e97d966d7f879a9999966fb5942bb54dcf42 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -42,6 +42,7 @@ import com.netscape.certsrv.base.ForbiddenException;
import com.netscape.certsrv.base.PKIException;
import com.netscape.certsrv.base.ResourceNotFoundException;
import com.netscape.certsrv.ca.AuthorityID;
+import com.netscape.certsrv.ca.CADisabledException;
import com.netscape.certsrv.ca.CANotFoundException;
import com.netscape.certsrv.ca.CATypeException;
import com.netscape.certsrv.ca.ICertificateAuthority;
@@ -184,7 +185,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
throw new BadRequestException(e.toString());
} catch (CANotFoundException e) {
throw new ResourceNotFoundException(e.toString());
- } catch (IssuerUnavailableException e) {
+ } catch (IssuerUnavailableException | CADisabledException e) {
throw new ConflictingOperationException(e.toString());
} catch (Exception e) {
CMS.debug(e);
--
2.4.3
More information about the Pki-devel
mailing list