[Pki-devel] [PATCH] 0037-2, 0053 ensure correct CRL contents for host CA

Fraser Tweedale ftweedal at redhat.com
Fri Oct 9 07:39:36 UTC 2015 

The attached patches fix https://fedorahosted.org/pki/ticket/1626.

0037-2: earlier patch to store issuer DN in certificate entries,
updated to add indices for the 'issuerName' attribute.

0053: updates the filter used by CRLIP to find certs to include in
CRL.

Note the following limitations:

1. No database update in relation to issuerName attribute and
indices.  If people are otherwise satisfied with the patch, I will
file a ticket for the database upgrade aspect.

2. There is no way to define CRLIP for a lightweight CA.  There is a
separate ticket for this: https://fedorahosted.org/pki/ticket/1626
(currently not a priority).

Cheers,
Fraser
-------------- next part --------------
From 844a5f8697a28304a89824077c97f66a4c7fd42d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 11 Jun 2015 08:22:36 -0400
Subject: [PATCH] Store issuer DN in certificate records

Lightweight CAs mean that we may wish to filter certificates based
on the issuer.  Update X509CertImplMapper to store the issuer DN in
each certificate record, using exiting schema.

Also add indices for the 'issuerName' LDAP attribute.
---
 base/ca/shared/conf/index.ldif                                   | 9 +++++++++
 base/ca/shared/conf/indextasks.ldif                              | 1 +
 base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java | 7 +++++--
 .../cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java       | 1 +
 .../cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java | 5 +++++
 5 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/base/ca/shared/conf/index.ldif b/base/ca/shared/conf/index.ldif
index 11ebddfe31b1bf1a9cf83a65218293e3e435390f..90814b6a68a81f5edfb0ea97d92e86b79de3ae36 100644
--- a/base/ca/shared/conf/index.ldif
+++ b/base/ca/shared/conf/index.ldif
@@ -161,6 +161,15 @@ nsindexType: sub
 nsSystemindex: false
 cn: ownername
 
+dn: cn=issuername,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config
+objectClass: top
+objectClass: nsIndex
+nsindexType: eq
+nsindexType: pres
+nsindexType: sub
+nsSystemindex: false
+cn: issuername
+
 dn: cn=subjectname,cn=index,cn={database},cn=ldbm database, cn=plugins, cn=config
 objectClass: top
 objectClass: nsIndex
diff --git a/base/ca/shared/conf/indextasks.ldif b/base/ca/shared/conf/indextasks.ldif
index 4db159ab0908ecbe540bd2680de3ed9f7a3d705a..8a32ac585f96392d8e3f5de6ff1ddb1686b54802 100644
--- a/base/ca/shared/conf/indextasks.ldif
+++ b/base/ca/shared/conf/indextasks.ldif
@@ -26,6 +26,7 @@ nsIndexAttribute: revokedOn:eq,pres
 nsIndexAttribute: archivedBy:eq,pres
 nsIndexAttribute: ownername:eq,pres,sub
 nsIndexAttribute: subjectname:eq,pres,sub
+nsIndexAttribute: issuername:eq,pres,sub
 nsIndexAttribute: requestsourceid:eq,pres,sub
 nsIndexAttribute: revInfo:eq,pres,sub
 nsIndexAttribute: extension:eq,pres,sub
diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
index 76101d9b735eb44030013999af82df4c6d6b8370..23f4e07d43bffd51e41a75d0939e5ad807400f9d 100644
--- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java
@@ -69,6 +69,7 @@ public interface ICertRecord extends IDBObj {
     public final static String X509CERT_DURATION = "duration";
     public final static String X509CERT_EXTENSION = "extension";
     public final static String X509CERT_SUBJECT = "subject";
+    public final static String X509CERT_ISSUER = "issuer";
     public final static String X509CERT_PUBLIC_KEY_DATA = "publicKeyData";
     public final static String X509CERT_VERSION = "version";
     public final static String X509CERT_ALGORITHM = "algorithm";
@@ -86,6 +87,8 @@ public interface ICertRecord extends IDBObj {
             ATTR_X509CERT + "." + X509CERT_EXTENSION;
     public final static String ATTR_X509CERT_SUBJECT =
             ATTR_X509CERT + "." + X509CERT_SUBJECT;
+    public final static String ATTR_X509CERT_ISSUER =
+            ATTR_X509CERT + "." + X509CERT_ISSUER;
     public final static String ATTR_X509CERT_VERSION =
             ATTR_X509CERT + "." + X509CERT_VERSION;
     public final static String ATTR_X509CERT_ALGORITHM =
@@ -119,9 +122,9 @@ public interface ICertRecord extends IDBObj {
     public X509CertImpl getCertificate();
 
     /**
-     * Retrieves name of who issued this certificate.
+     * Retrieves name of which user issued this certificate.
      *
-     * @return name of who issued this certificate
+     * @return name of which user issued this certificate
      */
     public String getIssuedBy();
 
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java
index 916e83a8a207b84692e52ee8d4b7093b4e4b9634..ec1de1ca8426f1df146eca4935e137e8cd4e5cf0 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertDBSchema.java
@@ -42,6 +42,7 @@ public class CertDBSchema {
     public static final String LDAP_ATTR_VERSION = "version";
     public static final String LDAP_ATTR_DURATION = "duration";
     public static final String LDAP_ATTR_SUBJECT = "subjectName";
+    public static final String LDAP_ATTR_ISSUER = "issuerName";
     public static final String LDAP_ATTR_ALGORITHM = "algorithmId";
     public static final String LDAP_ATTR_SIGNING_ALGORITHM = "signingAlgorithmId";
     public static final String LDAP_ATTR_REVO_INFO = "revInfo";
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java
index ef8577747e2d4eefb14430ce32cf32819ca88b11..d67f8e5df366a472f21b684ba3dd873be55d3333 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/X509CertImplMapper.java
@@ -61,6 +61,7 @@ public class X509CertImplMapper implements IDBAttrMapper {
         v.addElement(CertDBSchema.LDAP_ATTR_DURATION);
         v.addElement(CertDBSchema.LDAP_ATTR_EXTENSION);
         v.addElement(CertDBSchema.LDAP_ATTR_SUBJECT);
+        v.addElement(CertDBSchema.LDAP_ATTR_ISSUER);
         v.addElement(CertDBSchema.LDAP_ATTR_SIGNED_CERT);
         v.addElement(CertDBSchema.LDAP_ATTR_VERSION);
         v.addElement(CertDBSchema.LDAP_ATTR_ALGORITHM);
@@ -90,6 +91,8 @@ public class X509CertImplMapper implements IDBAttrMapper {
                     DBSUtil.longToDB(notAfter.getTime() - notBefore.getTime())));
             attrs.add(new LDAPAttribute(CertDBSchema.LDAP_ATTR_SUBJECT,
                     cert.getSubjectDN().getName()));
+            attrs.add(new LDAPAttribute(CertDBSchema.LDAP_ATTR_ISSUER,
+                    cert.getIssuerDN().getName()));
             attrs.add(new LDAPAttribute(CertDBSchema.LDAP_ATTR_PUBLIC_KEY_DATA, cert.getPublicKey().getEncoded()));
             // make extension searchable
             Set<String> nonCritSet = cert.getNonCriticalExtensionOIDs();
@@ -300,6 +303,8 @@ public class X509CertImplMapper implements IDBAttrMapper {
             }
         } else if (suffix.equalsIgnoreCase(ICertRecord.X509CERT_SUBJECT)) {
             name = CertDBSchema.LDAP_ATTR_SUBJECT;
+        } else if (suffix.equalsIgnoreCase(ICertRecord.X509CERT_ISSUER)) {
+            name = CertDBSchema.LDAP_ATTR_ISSUER;
         } else if (suffix.equalsIgnoreCase(ICertRecord.X509CERT_PUBLIC_KEY_DATA)) {
             name = CertDBSchema.LDAP_ATTR_PUBLIC_KEY_DATA;
         } else if (suffix.equalsIgnoreCase(ICertRecord.X509CERT_DURATION)) {
-- 
2.4.3

-------------- next part --------------
From 61af27fab6293f2edd2d72787f52b14b205615fd Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 9 Oct 2015 02:54:18 -0400
Subject: [PATCH] CRLIP: omit certs not issued by associated CA

Lightweight CAs mean that a single database can include certificates
from many issuers.  Update CRLIssuingPoint to only include
certificates issued by its associated CA.

For backwards compatibility, if the associated CA is the host CA,
certificate records with missing 'issuerName' attribute are also
included.

Fixes: https://fedorahosted.org/pki/ticket/1626
---
 base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
index fe230e937f25728f3789974ab57e2529a161533a..f6eaf72873a51a0bc301c16a8f9288e1f6c5441c 100644
--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
@@ -1868,11 +1868,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
             filter += "(" + CertRecord.ATTR_ID + "<=" + mEndSerial.toString() + ")";
         }
 
+        String issuerFilter =
+            "(" + CertRecord.ATTR_X509CERT_ISSUER
+            + "=" + mCA.getX500Name().toString() + ")";
+        // host authority may be absent issuer attribute
+        if (mCA.isHostAuthority()) {
+            issuerFilter =
+                "(|"
+                + "(!(" + CertRecord.ATTR_X509CERT_ISSUER + "=*))"
+                + issuerFilter
+                + ")";
+        }
+        filter += issuerFilter;
+
         // get all revoked non-expired certs.
-        if (mEndSerial != null || mBeginSerial != null || mCACertsOnly ||
-                (mProfileCertsOnly && mProfileList != null && mProfileList.size() > 0)) {
-            filter = "(&" + filter + ")";
-        }
+        filter = "(&" + filter + ")";
 
         return filter;
     }
-- 
2.4.3

More information about the Pki-devel mailing list