[Pki-devel] [PATCH] 0111 Lightweight CAs: remove NSSDB material when processing deletion

[Fraser Tweedale]

The attached patch makes clones delete lightweight CA keys/certs
from local NSSDB when processing LWCA deletion.

Ticket: https://fedorahosted.org/pki/ticket/2328

Thanks,
Fraser

From 96079be3caea27ab1ecd5e6486a31c5c36294444 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 16 May 2016 12:20:21 +1000
Subject: [PATCH] Lightweight CAs: remove NSSDB material when processing
 deletion

When processing a CA deletion that occurred on another clone, remove
the CA's certificate and key from the local NSSDB.

Fixes: https://fedorahosted.org/pki/ticket/2328
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
8ef6fd4b6dc97b9108f470a38f45eec864f24015..9dc3ad060f78512bba3786a641b62182d9122553
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2850,9 +2850,13 @@ public class CertificateAuthority
 
         shutdown();
 
-        // delete ldap entry
         deleteAuthorityEntry(authorityID);
+        deleteAuthorityNSSDB();
+    }
 
+    /** Delete keys and certs of this authority from NSSDB.
+     */
+    private void deleteAuthorityNSSDB() throws ECAException {
         CryptoManager cryptoManager;
         try {
             cryptoManager = CryptoManager.getInstance();
@@ -3146,6 +3150,18 @@ public class CertificateAuthority
         attr = entry.getAttribute("authorityID");
         if (attr != null) {
             aid = new AuthorityID(attr.getStringValueArray()[0]);
+            CertificateAuthority ca = (CertificateAuthority) getCA(aid);
+            if (ca == null)
+                return;  // shouldn't happen
+
+            try {
+                ca.deleteAuthorityNSSDB();
+            } catch (ECAException e) {
+                // log and carry on
+                CMS.debug(
+                    "Caught exception attempting to delete NSSDB material "
+                    + "for authority '" + aid + "': " + e);
+            }
             forgetAuthority(aid);
         }
     }
-- 
2.5.5


_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel