[Pki-devel] [PATCH] 0133 Revoke lightweight CA certificate on deletion

Fraser Tweedale ftweedal at redhat.com
Thu Aug 25 04:18:40 UTC 2016 

Hi team,

The attached patch implements cert revocation on LWCA deletion.  The
TODO for parametrising over revocation reason and invalid date is
intentional - I just want to get the minimal viable solution into
10.3.x ASAP and we can look at what more is wanted/needed later.

Thanks,
Fraser
-------------- next part --------------
From cbbaf433c3b423271233ebf08d52fe95682b9e8f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 25 Aug 2016 12:55:14 +1000
Subject: [PATCH] Revoke lightweight CA certificate on deletion

Fixes: https://fedorahosted.org/pki/ticket/1638
---
 .../src/com/netscape/ca/CertificateAuthority.java  | 39 +++++++++++++++++++++-
 .../dogtagpki/server/ca/rest/AuthorityService.java |  2 +-
 .../netscape/certsrv/ca/ICertificateAuthority.java |  2 +-
 3 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index a5397da0c0dcea654a15f16e5becc5c430a1bb29..ab48409d8c3d481b5dc2d0c00b97cc2487f49189 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -124,6 +124,7 @@ import com.netscape.certsrv.util.IStatsSubsystem;
 import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
 import com.netscape.cms.servlet.cert.EnrollmentProcessor;
 import com.netscape.cms.servlet.cert.RenewalProcessor;
+import com.netscape.cms.servlet.cert.RevocationProcessor;
 import com.netscape.cms.servlet.processors.CAProcessor;
 import com.netscape.cmscore.base.ArgBlock;
 import com.netscape.cmscore.dbs.CRLRepository;
@@ -178,6 +179,7 @@ import netscape.security.x509.CertificateChain;
 import netscape.security.x509.CertificateIssuerName;
 import netscape.security.x509.CertificateSubjectName;
 import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.RevocationReason;
 import netscape.security.x509.X500Name;
 import netscape.security.x509.X500Signer;
 import netscape.security.x509.X509CRLImpl;
@@ -2964,7 +2966,8 @@ public class CertificateAuthority
         authorityKeyHosts.add(thisClone);
     }
 
-    public synchronized void deleteAuthority() throws EBaseException {
+    public synchronized void deleteAuthority(HttpServletRequest httpReq)
+            throws EBaseException {
         if (isHostAuthority())
             throw new CATypeException("Cannot delete the host CA");
 
@@ -2984,10 +2987,44 @@ public class CertificateAuthority
 
         shutdown();
 
+        revokeAuthority(httpReq);
         deleteAuthorityEntry(authorityID);
         deleteAuthorityNSSDB();
     }
 
+    /** Revoke the authority's certificate
+     *
+     * TODO: revocation reason, invalidity date parameters
+     */
+    private void revokeAuthority(HttpServletRequest httpReq)
+            throws EBaseException {
+        CMS.debug("revokeAuthority: checking serial " + authoritySerial);
+        ICertRecord certRecord = mCertRepot.readCertificateRecord(authoritySerial);
+        String curStatus = certRecord.getStatus();
+        CMS.debug("revokeAuthority: current cert status: " + curStatus);
+        if (curStatus.equals(CertRecord.STATUS_REVOKED)
+                || curStatus.equals(CertRecord.STATUS_REVOKED_EXPIRED)) {
+            return;  // already revoked
+        }
+
+        CMS.debug("revokeAuthority: revoking cert");
+        RevocationProcessor processor = new RevocationProcessor(
+                "CertificateAuthority.revokeAuthority", httpReq.getLocale());
+        processor.setSerialNumber(new CertId(authoritySerial));
+        processor.setRevocationReason(RevocationReason.UNSPECIFIED);
+        processor.setAuthority(this);
+        try {
+            processor.createCRLExtension();
+        } catch (IOException e) {
+            throw new ECAException("Unable to create CRL extensions", e);
+        }
+        processor.addCertificateToRevoke(mCaCert);
+        processor.createRevocationRequest();
+        processor.auditChangeRequest(ILogger.SUCCESS);
+        processor.processRevocationRequest();
+        processor.auditChangeRequestProcessed(ILogger.SUCCESS);
+    }
+
     /** Delete keys and certs of this authority from NSSDB.
      */
     private void deleteAuthorityNSSDB() throws ECAException {
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 246a3f08c0919807fb39ff0b49d5e37ef30e992c..584ab6e59638beada6c89a1882a176b4743a861d 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -329,7 +329,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
         Map<String, String> auditParams = new LinkedHashMap<>();
 
         try {
-            ca.deleteAuthority();
+            ca.deleteAuthority(servletRequest);
             audit(ILogger.SUCCESS, OpDef.OP_DELETE, aidString, null);
             return createNoContentResponse();
         } catch (CATypeException e) {
diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
index 308bfba126cf56d4cccae59a9a1550e34b926f08..5218a4cb11773d7922630f2c203670d82a0c82c4 100644
--- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
+++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
@@ -606,6 +606,6 @@ public interface ICertificateAuthority extends ISubsystem {
     /**
      * Delete this lightweight CA.
      */
-    public void deleteAuthority()
+    public void deleteAuthority(HttpServletRequest httpReq)
         throws EBaseException;
 }
-- 
2.5.5

More information about the Pki-devel mailing list