Please review:
Patches listed in reverse order (306 -> 303)
Ade
commit e3d47aabee97773832d2f8ac7ff138314b44f646
Author: Ade Lee <[email protected]>
Date: Thu May 19 11:56:26 2016 -0400
Add revocation information to pki CLI output.
The date on which the certificate is revoked and the agent that
revoked it is displayed now in cert-find and cert-show output.
Ticket 1055
commit fb7707dbf7148387075fc21d803e2ecb12c66ab6
Author: Ade Lee <[email protected]>
Date: Thu May 19 10:49:59 2016 -0400
Allow cert-find using revocation reasons
The REST API expects the integer revocation code to be passed
in a certificate search. We have modified the client to allow
the user to provide either a revocation code or a revocation
reason as a search parameter.
Ticket 1053
commit 443b3676302e7861180802784d8a1ebc43d07ea3
Author: Ade Lee <[email protected]>
Date: Thu May 19 00:08:20 2016 -0400
Add parameters to purge old published files
Ticket 2254
commit 31342868aa4468fd7c2818727930932fd1e2d23e
Author: Ade Lee <[email protected]>
Date: Wed May 18 15:33:36 2016 -0400
Add parameters to disable cert or crl publishing
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publishing.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publishing.enable = True
ca.publishing.cert_enable = False
* to enable cert publishing only:
ca.publishing.enable = True
ca.publishing.crl_enable = False
Ticket 2275From e3d47aabee97773832d2f8ac7ff138314b44f646 Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Thu, 19 May 2016 11:56:26 -0400
Subject: [PATCH 306/306] Add revocation information to pki CLI output.
The date on which the certificate is revoked and the agent that
revoked it is displayed now in cert-find and cert-show output.
Ticket 1055
---
.../org/dogtagpki/server/ca/rest/CertService.java | 24 +++++++++------
.../src/com/netscape/certsrv/cert/CertData.java | 36 ++++++++++++++++++++++
.../com/netscape/certsrv/cert/CertDataInfo.java | 33 ++++++++++++++++++++
.../src/com/netscape/cmstools/cert/CertCLI.java | 21 +++++++++++++
4 files changed, 105 insertions(+), 9 deletions(-)
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
index 2c5fa52b8e13f8c9bc033b9bc9a850e6220cef33..54a349e2a60c6fd7571c2cb43a0504d96050c11a 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
@@ -41,15 +41,6 @@ import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
-import netscape.security.pkcs.ContentInfo;
-import netscape.security.pkcs.PKCS7;
-import netscape.security.pkcs.SignerInfo;
-import netscape.security.provider.RSAPublicKey;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509Key;
-
import org.apache.catalina.realm.GenericPrincipal;
import org.jboss.resteasy.plugins.providers.atom.Link;
@@ -84,6 +75,15 @@ import com.netscape.cms.servlet.processors.CAProcessor;
import com.netscape.cmsutil.ldap.LDAPUtil;
import com.netscape.cmsutil.util.Utils;
+import netscape.security.pkcs.ContentInfo;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.pkcs.SignerInfo;
+import netscape.security.provider.RSAPublicKey;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
/**
* @author alee
*
@@ -527,6 +527,9 @@ public class CertService extends PKIService implements CertResource {
Date notAfter = cert.getNotAfter();
if (notAfter != null) certData.setNotAfter(notAfter.toString());
+ certData.setRevokedOn(record.getRevokedOn());
+ certData.setRevokedBy(record.getRevokedBy());
+
certData.setStatus(record.getStatus());
if (authority.noncesEnabled() && generateNonce) {
@@ -575,6 +578,9 @@ public class CertService extends PKIService implements CertResource {
info.setIssuedOn(record.getCreateTime());
info.setIssuedBy(record.getIssuedBy());
+ info.setRevokedOn(record.getRevokedOn());
+ info.setRevokedBy(record.getRevokedBy());
+
URI uri = uriInfo.getBaseUriBuilder().path(CertResource.class, "getCert").build(id.toHexString());
info.setLink(new Link("self", uri));
diff --git a/base/common/src/com/netscape/certsrv/cert/CertData.java b/base/common/src/com/netscape/certsrv/cert/CertData.java
index c0233dd66975db954144c6ac286c0ffd6a036e10..bb6d4c07cec27ad2f63d77c55d01f02102cd223f 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertData.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertData.java
@@ -20,6 +20,7 @@ package com.netscape.certsrv.cert;
import java.io.PrintWriter;
import java.io.StringReader;
import java.io.StringWriter;
+import java.util.Date;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.Marshaller;
@@ -33,6 +34,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link;
import com.netscape.certsrv.dbs.certdb.CertId;
import com.netscape.certsrv.dbs.certdb.CertIdAdapter;
+import com.netscape.certsrv.util.DateAdapter;
/**
* @author alee
@@ -67,6 +69,9 @@ public class CertData {
String notBefore;
String notAfter;
String status;
+ Date revokedOn;
+ String revokedBy;
+
Long nonce;
Link link;
@@ -162,6 +167,25 @@ public class CertData {
this.nonce = nonce;
}
+ @XmlElement(name="RevokedOn")
+ @XmlJavaTypeAdapter(DateAdapter.class)
+ public Date getRevokedOn() {
+ return revokedOn;
+ }
+
+ public void setRevokedOn(Date revokedOn) {
+ this.revokedOn = revokedOn;
+ }
+
+ @XmlElement(name="RevokedBy")
+ public String getRevokedBy() {
+ return revokedBy;
+ }
+
+ public void setRevokedBy(String revokedBy) {
+ this.revokedBy = revokedBy;
+ }
+
@XmlElement(name="Link")
public Link getLink() {
return link;
@@ -185,6 +209,8 @@ public class CertData {
result = prime * result + ((serialNumber == null) ? 0 : serialNumber.hashCode());
result = prime * result + ((status == null) ? 0 : status.hashCode());
result = prime * result + ((subjectDN == null) ? 0 : subjectDN.hashCode());
+ result = prime * result + ((revokedOn == null) ? 0 : revokedOn.hashCode());
+ result = prime * result + ((revokedBy == null) ? 0 : revokedBy.hashCode());
return result;
}
@@ -247,6 +273,16 @@ public class CertData {
return false;
} else if (!subjectDN.equals(other.subjectDN))
return false;
+ if (revokedOn == null) {
+ if (other.revokedOn != null)
+ return false;
+ } else if (!revokedOn.equals(other.revokedOn))
+ return false;
+ if (revokedBy == null) {
+ if (other.revokedBy != null)
+ return false;
+ } else if (!revokedBy.equals(other.revokedBy))
+ return false;
return true;
}
diff --git a/base/common/src/com/netscape/certsrv/cert/CertDataInfo.java b/base/common/src/com/netscape/certsrv/cert/CertDataInfo.java
index a73cb5e3acec6a7398aa94c1ce8369d190199dc8..656f264f7744298aebc687f3eabf852786c43b40 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertDataInfo.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertDataInfo.java
@@ -71,6 +71,8 @@ public class CertDataInfo {
Date notValidAfter;
Date issuedOn;
String issuedBy;
+ Date revokedOn;
+ String revokedBy;
Link link;
@@ -186,6 +188,25 @@ public class CertDataInfo {
this.issuedBy = issuedBy;
}
+ @XmlElement(name="RevokedOn")
+ @XmlJavaTypeAdapter(DateAdapter.class)
+ public Date getRevokedOn() {
+ return revokedOn;
+ }
+
+ public void setRevokedOn(Date revokedOn) {
+ this.revokedOn = revokedOn;
+ }
+
+ @XmlElement(name="RevokedBy")
+ public String getRevokedBy() {
+ return revokedBy;
+ }
+
+ public void setRevokedBy(String revokedBy) {
+ this.revokedBy = revokedBy;
+ }
+
@XmlElement(name="Link")
public Link getLink() {
return link;
@@ -212,6 +233,8 @@ public class CertDataInfo {
result = prime * result + ((issuerDN == null) ? 0 : issuerDN.hashCode());
result = prime * result + ((type == null) ? 0 : type.hashCode());
result = prime * result + ((version == null) ? 0 : version.hashCode());
+ result = prime * result + ((revokedOn == null) ? 0 : revokedOn.hashCode());
+ result = prime * result + ((revokedBy == null) ? 0 : revokedBy.hashCode());
return result;
}
@@ -289,6 +312,16 @@ public class CertDataInfo {
return false;
} else if (!version.equals(other.version))
return false;
+ if (revokedOn == null) {
+ if (other.revokedOn != null)
+ return false;
+ } else if (!revokedOn.equals(other.revokedOn))
+ return false;
+ if (revokedBy == null) {
+ if (other.revokedBy != null)
+ return false;
+ } else if (!revokedBy.equals(other.revokedBy))
+ return false;
return true;
}
diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
index e0924d3538a5a747daf30687ee3f852013631564..14e4a53d6d604e21f06cdf791e27b0bf34a10955 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
@@ -19,6 +19,7 @@
package com.netscape.cmstools.cert;
import java.text.SimpleDateFormat;
+import java.util.Date;
import org.jboss.resteasy.plugins.providers.atom.Link;
@@ -128,6 +129,16 @@ public class CertCLI extends CLI {
System.out.println(" Issued On: "+info.getIssuedOn());
System.out.println(" Issued By: "+info.getIssuedBy());
+ Date revokedOn = info.getRevokedOn();
+ if (revokedOn != null) {
+ System.out.println(" Revoked On: " + revokedOn);
+ }
+
+ String revokedBy = info.getRevokedBy();
+ if (revokedBy != null) {
+ System.out.println(" Revoked By: " + revokedBy);
+ }
+
Link link = info.getLink();
if (verbose && link != null) {
System.out.println(" Link: " + link.getHref());
@@ -146,6 +157,16 @@ public class CertCLI extends CLI {
System.out.println(" Not Before: " + certData.getNotBefore());
System.out.println(" Not After: " + certData.getNotAfter());
+ Date revokedOn = certData.getRevokedOn();
+ if (revokedOn != null) {
+ System.out.println(" Revoked On: " + revokedOn);
+ }
+
+ String revokedBy = certData.getRevokedBy();
+ if (revokedBy != null) {
+ System.out.println(" Revoked By: " + revokedBy);
+ }
+
Link link = certData.getLink();
if (verbose && link != null) {
System.out.println(" Link: " + link.getHref());
--
2.7.3
From fb7707dbf7148387075fc21d803e2ecb12c66ab6 Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Thu, 19 May 2016 10:49:59 -0400
Subject: [PATCH 305/306] Allow cert-find using revocation reasons
The REST API expects the integer revocation code to be passed
in a certificate search. We have modified the client to allow
the user to provide either a revocation code or a revocation
reason as a search parameter.
Ticket 1053
---
.../com/netscape/cmstools/cert/CertFindCLI.java | 23 ++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java
index cb2d80ef35446dcd5714f0b6957ab194d3bf6da2..8e1045bf36cf222c0c0e745a49a73f801546cea2 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java
@@ -37,6 +37,8 @@ import com.netscape.certsrv.cert.CertSearchRequest;
import com.netscape.cmstools.cli.CLI;
import com.netscape.cmstools.cli.MainCLI;
+import netscape.security.x509.RevocationReason;
+
/**
* @author Endi S. Dewata
*/
@@ -126,7 +128,10 @@ public class CertFindCLI extends CLI {
options.addOption(option);
//revocationReason
- option = new Option(null, "revocationReason", true, "Reason for revocation");
+ option = new Option(null, "revocationReason", true,
+ "Reason for revocation: Unspecified(0), Key_compromise(1), CA_Compromise(2), Affiliation_Changed(3), " +
+ "Superseded(4), Cessation_of_Operation(5), Certificate_Hold(6), Remove_from_CRL(8), " +
+ "Privilege_Withdrawn(9), AA_Compromise(10)");
option.setArgName("reason");
options.addOption(option);
@@ -369,7 +374,21 @@ public class CertFindCLI extends CLI {
}
if (cmd.hasOption("revocationReason")) {
csd.setRevocationReasonInUse(true);
- csd.setRevocationReason(cmd.getOptionValue("revocationReason"));
+ String value = cmd.getOptionValue("revocationReason");
+ RevocationReason reason = null;
+ try {
+ // accept integer reason codes
+ int val = Integer.parseInt(value);
+ reason = RevocationReason.valueOf(val);
+ } catch (NumberFormatException e) {
+ // accept reason labels
+ reason = RevocationReason.valueOf(value);
+ }
+ if (reason != null) {
+ csd.setRevocationReason(Integer.toString(reason.getCode()));
+ } else {
+ throw new Error("Invalid revocation reason");
+ }
}
if (cmd.hasOption("issuedBy")) {
csd.setIssuedByInUse(true);
--
2.7.3
From 443b3676302e7861180802784d8a1ebc43d07ea3 Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Thu, 19 May 2016 00:08:20 -0400
Subject: [PATCH 304/306] Add parameters to purge old published files
Ticket 2254
---
.../cms/publish/publishers/FileBasedPublisher.java | 85 +++++++++++++++++++++-
1 file changed, 81 insertions(+), 4 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java
index c48aa2db44163850d34f99e146ba6505926d2389..d2f6d39127b312f2b9ac51d70f44c162f24e9d96 100644
--- a/base/server/cms/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java
+++ b/base/server/cms/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java
@@ -28,14 +28,14 @@ import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Comparator;
import java.util.Locale;
import java.util.TimeZone;
import java.util.Vector;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;
-import netscape.ldap.LDAPConnection;
-
import org.mozilla.jss.util.Base64OutputStream;
import com.netscape.certsrv.apps.CMS;
@@ -47,6 +47,8 @@ import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.publish.ILdapPublisher;
import com.netscape.cmsutil.util.Utils;
+import netscape.ldap.LDAPConnection;
+
/**
* This publisher writes certificate and CRL into
* a directory.
@@ -62,6 +64,8 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
private static final String PROP_EXT = "crlLinkExt";
private static final String PROP_ZIP = "zipCRLs";
private static final String PROP_LEV = "zipLevel";
+ private static final String PROP_MAX_AGE = "maxAge";
+ private static final String PROP_MAX_FILES = "maxFiles";
private IConfigStore mConfig = null;
private String mDir = null;
private ILogger mLogger = CMS.getLogger();
@@ -73,6 +77,8 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
protected String mTimeStamp = null;
protected String mLinkExt = null;
protected int mZipLevel = 9;
+ protected int maxAge = 0;
+ protected int maxFiles = 0;
public void setIssuingPointId(String crlIssuingPointId) {
mCrlIssuingPointId = crlIssuingPointId;
@@ -108,6 +114,10 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
+ ";string;Name extension used by link to the latest CRL. Default name extension is 'der'.",
PROP_ZIP + ";boolean;Generate compressed CRLs.",
PROP_LEV + ";choice(0,1,2,3,4,5,6,7,8,9);Set compression level from 0 to 9.",
+ PROP_MAX_AGE
+ + ";integer;Number of hours after which files should expire and be purged. Default is 0, which means to never expire.",
+ PROP_MAX_FILES
+ + ";integer;Maximum number of files to be kept. Once new files are published, the oldest files will be purged. Default is 0 (no limit)",
IExtendedPluginInfo.HELP_TOKEN +
";configuration-ldappublish-publisher-filepublisher",
IExtendedPluginInfo.HELP_TEXT
@@ -143,6 +153,14 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
} catch (EBaseException e) {
}
try {
+ maxFiles = mConfig.getInteger(PROP_MAX_FILES, 0);
+ } catch (EBaseException e) {
+ }
+ try {
+ maxAge = mConfig.getInteger(PROP_MAX_AGE, 0);
+ } catch (EBaseException e) {
+ }
+ try {
if (mTimeStamp == null || (!mTimeStamp.equals("GMT")))
mTimeStamp = "LocalTime";
v.addElement(PROP_DIR + "=" + dir);
@@ -153,6 +171,8 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
v.addElement(PROP_EXT + "=" + ext);
v.addElement(PROP_ZIP + "=" + mConfig.getBoolean(PROP_ZIP, false));
v.addElement(PROP_LEV + "=" + mZipLevel);
+ v.addElement(PROP_MAX_FILES +"=" + maxFiles);
+ v.addElement(PROP_MAX_AGE + "=" + maxAge);
} catch (Exception e) {
}
return v;
@@ -172,6 +192,8 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
v.addElement(PROP_EXT + "=");
v.addElement(PROP_ZIP + "=false");
v.addElement(PROP_LEV + "=9");
+ v.addElement(PROP_MAX_FILES + "=0");
+ v.addElement(PROP_MAX_AGE + "=0");
return v;
}
@@ -191,6 +213,8 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
mLinkExt = mConfig.getString(PROP_EXT, null);
mZipCRL = mConfig.getBoolean(PROP_ZIP, false);
mZipLevel = mConfig.getInteger(PROP_LEV, 9);
+ maxFiles = mConfig.getInteger(PROP_MAX_FILES, 0);
+ maxAge = mConfig.getInteger(PROP_MAX_AGE, 0);
} catch (EBaseException e) {
}
if (dir == null) {
@@ -274,7 +298,7 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
}
/**
- * Publishs a object to the ldap directory.
+ * Publishes a object to the ldap directory.
*
* @param conn a Ldap connection
* (null if LDAP publishing is not enabled)
@@ -410,6 +434,8 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
renameFile.renameTo(destFile);
}
}
+ purgeExpiredFiles();
+ purgeExcessFiles();
} catch (IOException e) {
mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
ILogger.LL_FAILURE, CMS.getLogMessage("PUBLISH_FILE_PUBLISHER_ERROR", e.toString()));
@@ -422,8 +448,59 @@ public class FileBasedPublisher implements ILdapPublisher, IExtendedPluginInfo {
}
}
+ public void purgeExpiredFiles() {
+ File dir = new File(mDir);
+
+ if (!dir.isDirectory()) return;
+
+ if (maxAge != 0) {
+ long now = System.currentTimeMillis();
+ long duration = 60 * 1000 * 60 * maxAge;
+ long expiration = now - duration;
+
+ // purge any files older than maxAge hours
+ File[] files = dir.listFiles();
+ for (File file : files) {
+ if (file.lastModified() < expiration) {
+ CMS.debug("Expiring and deleting file older than " + maxAge + " hours: " +
+ file.getName());
+ if (file.isFile()) file.delete();
+ }
+ }
+ }
+ }
+
+ public void purgeExcessFiles() {
+ File dir = new File(mDir);
+
+ if (!dir.isDirectory()) return;
+
+ if (maxFiles != 0) {
+ // purge any files over maxFiles limit
+ if (dir.listFiles().length <= maxFiles) return;
+
+ File[] files = dir.listFiles();
+ Arrays.sort(files, new Comparator<File>() {
+ public int compare(File f1, File f2) {
+ return Long.valueOf(f1.lastModified()).compareTo(f2.lastModified());
+ }
+ }
+ );
+
+ for (File file: files) {
+ if (dir.listFiles().length > maxFiles) {
+ CMS.debug("Deleting file as publishing directory has more than " + maxFiles
+ + " files: " + file);
+ if (file.isFile()) file.delete();
+ } else {
+ break;
+ }
+ }
+ }
+ }
+
/**
- * Unpublishs a object to the ldap directory.
+ * Unpublishes a object to the ldap directory.
*
* @param conn the Ldap connection
* (null if LDAP publishing is not enabled)
--
2.7.3
From 31342868aa4468fd7c2818727930932fd1e2d23e Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Wed, 18 May 2016 15:33:36 -0400
Subject: [PATCH 303/306] Add parameters to disable cert or crl publishing
Right now, if publishing is enabled, both CRLs and Cert publishing
is enabled. This causes a bunch of spurious error messages on
IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired
or simply misconfigured, we provide options to explicitly disable
either cert or crl publishing.
Specifically:
* to enable/disable both cert and crl publishing:
ca.publishing.enable = True/False
This is the legacy behavior.
* to enable CRL publishing only:
ca.publishing.enable = True
ca.publishing.cert_enable = False
* to enable cert publishing only:
ca.publishing.enable = True
ca.publishing.crl_enable = False
Ticket 2275
---
base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 42 +++++++-------
.../src/com/netscape/ca/CertificateAuthority.java | 2 +-
.../certsrv/publish/IPublisherProcessor.java | 27 ++++++---
.../certsrv/publish/IXcertPublisherProcessor.java | 1 +
.../netscape/certsrv/request/ARequestNotifier.java | 2 +-
.../src/com/netscape/cms/jobs/PublishCertsJob.java | 8 +--
.../com/netscape/cms/jobs/UnpublishExpiredJob.java | 8 +--
.../com/netscape/cms/servlet/cert/UpdateCRL.java | 16 +++---
.../com/netscape/cms/servlet/cert/UpdateDir.java | 10 ++--
.../cms/servlet/cert/scep/CRSEnrollment.java | 64 +++++++++++-----------
.../cmscore/cert/CrossCertPairSubsystem.java | 2 +-
.../netscape/cmscore/ldap/LdapRequestListener.java | 4 +-
.../netscape/cmscore/ldap/PublisherProcessor.java | 46 +++++++++++-----
13 files changed, 130 insertions(+), 102 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
index 9e13cc9066d8bda30febcbb9a6debf9b9c1ec696..fc9e6a355bf1b55e0d46bf0543d8302edae7be51 100644
--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
@@ -31,23 +31,6 @@ import java.util.StringTokenizer;
import java.util.TimeZone;
import java.util.Vector;
-import netscape.security.util.BitArray;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLNumberExtension;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.DeltaCRLIndicatorExtension;
-import netscape.security.x509.Extension;
-import netscape.security.x509.FreshestCRLExtension;
-import netscape.security.x509.IssuingDistributionPoint;
-import netscape.security.x509.IssuingDistributionPointExtension;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.RevokedCertificate;
-import netscape.security.x509.X509CRLImpl;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509ExtensionException;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
@@ -83,6 +66,23 @@ import com.netscape.cmscore.dbs.CertRecord;
import com.netscape.cmscore.dbs.CertificateRepository;
import com.netscape.cmscore.util.Debug;
+import netscape.security.util.BitArray;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLNumberExtension;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.DeltaCRLIndicatorExtension;
+import netscape.security.x509.Extension;
+import netscape.security.x509.FreshestCRLExtension;
+import netscape.security.x509.IssuingDistributionPoint;
+import netscape.security.x509.IssuingDistributionPointExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.RevokedCertificate;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509ExtensionException;
+
/**
* This class encapsulates CRL issuing mechanism. CertificateAuthority
* contains a map of CRLIssuingPoint indexed by string ids. Each issuing
@@ -242,11 +242,11 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
/**
* time to wait at the next loop if exception happens during CRL generation
*/
- private long mUnexpectedExceptionWaitTime;
+ private long mUnexpectedExceptionWaitTime;
/**
* Max number allowed to loop if exception happens during CRL generation.
- * When mUnexpectedExceptionLoopMax is reached, a slow down procedure
+ * When mUnexpectedExceptionLoopMax is reached, a slow down procedure
* will be executed
*/
private int mUnexpectedExceptionLoopMax;
@@ -1808,7 +1808,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
if (timeLapse < mUnexpectedExceptionWaitTime) {
long waitTime = mUnexpectedExceptionWaitTime - timeLapse;
CMS.debug("CRLIssuingPoint:run(): wait time after last failure:" + waitTime);
- try {
+ try {
wait (waitTime);
} catch (InterruptedException e) {
} catch (IllegalArgumentException e) {
@@ -2996,7 +2996,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
}
}
if (x509crl != null &&
- mPublisherProcessor != null && mPublisherProcessor.enabled()) {
+ mPublisherProcessor != null && mPublisherProcessor.isCRLPublishingEnabled()) {
Enumeration<ILdapRule> rules = mPublisherProcessor.getRules(IPublisherProcessor.PROP_LOCAL_CRL);
if (rules == null || !rules.hasMoreElements()) {
CMS.debug("CRL publishing is not enabled.");
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 8ef6fd4b6dc97b9108f470a38f45eec864f24015..5b2f382c29a716f3e72695b7da5406bb85b34845 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -1776,7 +1776,7 @@ public class CertificateAuthority
// if ldap publishing is not enabled while publishing isenabled
// there will be a lot of problem.
try {
- if (mPublisherProcessor.enabled()) {
+ if (mPublisherProcessor.isCertPublishingEnabled()) {
mPublisherProcessor.publishCACert(mCaCert);
CMS.debug("published ca cert");
}
diff --git a/base/common/src/com/netscape/certsrv/publish/IPublisherProcessor.java b/base/common/src/com/netscape/certsrv/publish/IPublisherProcessor.java
index a2f8fcc7103c4f6dc6bd3a1b57ec06828bc6c3fb..f2ee8718149f678267f5477ef41734028c5d69a8 100644
--- a/base/common/src/com/netscape/certsrv/publish/IPublisherProcessor.java
+++ b/base/common/src/com/netscape/certsrv/publish/IPublisherProcessor.java
@@ -24,13 +24,13 @@ import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Vector;
-import netscape.security.x509.X509CRLImpl;
-
import com.netscape.certsrv.base.ISubsystem;
import com.netscape.certsrv.ldap.ELdapException;
import com.netscape.certsrv.ldap.ILdapConnModule;
import com.netscape.certsrv.request.IRequest;
+import netscape.security.x509.X509CRLImpl;
+
/**
* Controls the publishing process from the top level. Maintains
* a collection of Publishers , Mappers, and Publish Rules.
@@ -56,6 +56,8 @@ public interface IPublisherProcessor extends ISubsystem {
public static final String PROP_PREDICATE = "predicate";
public static final String PROP_ENABLE = "enable";
+ public static final String PROP_CERT_ENABLE = "cert_enable";
+ public static final String PROP_CRL_ENABLE = "crl_enable";
public static final String PROP_LDAP = "ldap";
public static final String PROP_MAPPER = "mapper";
public static final String PROP_PUBLISHER = "publisher";
@@ -250,6 +252,7 @@ public interface IPublisherProcessor extends ISubsystem {
*
* @param cert X509 certificate to be published.
* @exception ELdapException publish failed due to Ldap error.
+ * @throws ELdapException
*/
public void publishCACert(X509Certificate cert)
throws ELdapException;
@@ -257,6 +260,7 @@ public interface IPublisherProcessor extends ISubsystem {
/**
* This function is never called. CMS does not unpublish
* CA certificate.
+ * @throws ELdapException
*/
public void unpublishCACert(X509Certificate cert)
throws ELdapException;
@@ -268,6 +272,7 @@ public interface IPublisherProcessor extends ISubsystem {
* @param cert X509 certificate to be published.
* @param req request which provides the criteria
* @exception ELdapException publish failed due to Ldap error.
+ * @throws ELdapException
*/
public void publishCert(X509Certificate cert, IRequest req)
throws ELdapException;
@@ -279,6 +284,7 @@ public interface IPublisherProcessor extends ISubsystem {
* @param cert X509 certificate to be unpublished.
* @param req request which provides the criteria
* @exception ELdapException unpublish failed due to Ldap error.
+ * @throws ELdapException
*/
public void unpublishCert(X509Certificate cert, IRequest req)
throws ELdapException;
@@ -291,6 +297,7 @@ public interface IPublisherProcessor extends ISubsystem {
* @param crl Certificate Revocation List
* @param crlIssuingPointId name of the issuing point.
* @exception ELdapException publish failed due to Ldap error.
+ * @throws ELdapException
*/
public void publishCRL(X509CRLImpl crl, String crlIssuingPointId)
throws ELdapException;
@@ -302,6 +309,7 @@ public interface IPublisherProcessor extends ISubsystem {
* @param dn Distinguished name to publish.
* @param crl Certificate Revocation List
* @exception ELdapException publish failed due to Ldap error.
+ * @throws ELdapException
*/
public void publishCRL(String dn, X509CRL crl)
throws ELdapException;
@@ -316,13 +324,16 @@ public interface IPublisherProcessor extends ISubsystem {
public boolean ldapEnabled();
/**
- *
- * Return true of PublisherProcessor is enabled.
- *
- * @return true if is enabled, otherwise false.
- *
+ * Return true if Certificate Publishing is enabled.
+ * @return true if enabled, false otherwise
*/
- public boolean enabled();
+ public boolean isCertPublishingEnabled();
+
+ /**
+ * Return true if CRL publishing is enabled,
+ * @return true if enabled, false otherwise.
+ */
+ public boolean isCRLPublishingEnabled();
/**
*
diff --git a/base/common/src/com/netscape/certsrv/publish/IXcertPublisherProcessor.java b/base/common/src/com/netscape/certsrv/publish/IXcertPublisherProcessor.java
index 352ec02a827132add9115ceb1715aa041cf6b538..0793fbb93450752731a42712e77f40de0d6d901f 100644
--- a/base/common/src/com/netscape/certsrv/publish/IXcertPublisherProcessor.java
+++ b/base/common/src/com/netscape/certsrv/publish/IXcertPublisherProcessor.java
@@ -31,6 +31,7 @@ public interface IXcertPublisherProcessor extends IPublisherProcessor {
* Publish crossCertificatePair.
*
* @param pair Byte array representing cert pair.
+ * @throws ELdapException
* @exception EldapException publish failed due to Ldap error.
*/
public void publishXCertPair(byte[] pair)
diff --git a/base/common/src/com/netscape/certsrv/request/ARequestNotifier.java b/base/common/src/com/netscape/certsrv/request/ARequestNotifier.java
index 4a6e3260bbd2b8c88e544a6bc7c8a47610279aea..526a382bf64e7aceaa1446de48ec9d6229456c56 100644
--- a/base/common/src/com/netscape/certsrv/request/ARequestNotifier.java
+++ b/base/common/src/com/netscape/certsrv/request/ARequestNotifier.java
@@ -363,7 +363,7 @@ public class ARequestNotifier implements IRequestNotifier {
IPublisherProcessor pp = null;
if (mCA != null)
pp = mCA.getPublisherProcessor();
- if (pp != null && pp.enabled()) {
+ if (pp != null && (pp.isCertPublishingEnabled() || pp.isCRLPublishingEnabled())) {
ILdapConnModule ldapConnModule = pp.getLdapConnModule();
if (ldapConnModule != null) {
ILdapConnFactory ldapConnFactory = ldapConnModule.getLdapConnFactory();
diff --git a/base/server/cms/src/com/netscape/cms/jobs/PublishCertsJob.java b/base/server/cms/src/com/netscape/cms/jobs/PublishCertsJob.java
index 25c80817ba3457646574081fb50c69cbc40ac769..8d75e5ae88186153c8559f63d67ebbf052b3fa85 100644
--- a/base/server/cms/src/com/netscape/cms/jobs/PublishCertsJob.java
+++ b/base/server/cms/src/com/netscape/cms/jobs/PublishCertsJob.java
@@ -22,8 +22,6 @@ import java.util.Date;
import java.util.Enumeration;
import java.util.Locale;
-import netscape.security.x509.X509CertImpl;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
@@ -43,6 +41,8 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IRequestQueue;
import com.netscape.certsrv.request.RequestId;
+import netscape.security.x509.X509CertImpl;
+
/**
* a job for the Jobs Scheduler. This job checks in the internal ldap
* db for valid certs that have not been published to the
@@ -289,7 +289,7 @@ public class PublishCertsJob extends AJobBase
}
try {
if ((mPublisherProcessor != null) &&
- mPublisherProcessor.enabled()) {
+ mPublisherProcessor.isCertPublishingEnabled()) {
mPublisherProcessor.publishCert(cert, req);
if (mSummary == true)
buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
@@ -312,7 +312,7 @@ public class PublishCertsJob extends AJobBase
else {
try {
if ((mPublisherProcessor != null) &&
- mPublisherProcessor.enabled()) {
+ mPublisherProcessor.isCertPublishingEnabled()) {
mPublisherProcessor.publishCert(cert, null);
if (mSummary == true)
diff --git a/base/server/cms/src/com/netscape/cms/jobs/UnpublishExpiredJob.java b/base/server/cms/src/com/netscape/cms/jobs/UnpublishExpiredJob.java
index b28e937514f3ee3288a00fda6b68f50b7c7f7caf..3a5d780ef114a0cd6498eebcd681cadcb7833d71 100644
--- a/base/server/cms/src/com/netscape/cms/jobs/UnpublishExpiredJob.java
+++ b/base/server/cms/src/com/netscape/cms/jobs/UnpublishExpiredJob.java
@@ -22,8 +22,6 @@ import java.util.Date;
import java.util.Enumeration;
import java.util.Locale;
-import netscape.security.x509.X509CertImpl;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
@@ -43,6 +41,8 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IRequestQueue;
import com.netscape.certsrv.request.RequestId;
+import netscape.security.x509.X509CertImpl;
+
/**
* a job for the Jobs Scheduler. This job checks in the internal ldap
* db for certs that have expired and remove them from the ldap
@@ -284,7 +284,7 @@ public class UnpublishExpiredJob extends AJobBase
}
try {
if ((mPublisherProcessor != null) &&
- mPublisherProcessor.enabled()) {
+ mPublisherProcessor.isCertPublishingEnabled()) {
mPublisherProcessor.unpublishCert(cert, req);
if (mSummary == true)
buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
@@ -307,7 +307,7 @@ public class UnpublishExpiredJob extends AJobBase
else {
try {
if ((mPublisherProcessor != null) &&
- mPublisherProcessor.enabled()) {
+ mPublisherProcessor.isCertPublishingEnabled()) {
mPublisherProcessor.unpublishCert(cert, null);
if (mSummary == true)
buildItemParams(IEmailFormProcessor.TOKEN_STATUS,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
index e39b665559947f2189dd2c68e4bb4d355abeb5aa..d873b1a33dff3e816d0132895ef6411e59229ebe 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
@@ -30,12 +30,6 @@ import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.InvalidityDateExtension;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.AuthToken;
import com.netscape.certsrv.authentication.IAuthToken;
@@ -60,6 +54,12 @@ import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.common.CMSTemplateParams;
import com.netscape.cms.servlet.common.ECMSGWException;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.InvalidityDateExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+
/**
* Force the CRL to be updated now.
*
@@ -445,7 +445,7 @@ public class UpdateCRL extends CMSServlet {
publishError = e;
}
- if (lpm != null && lpm.enabled()) {
+ if (lpm != null && lpm.isCRLPublishingEnabled()) {
Enumeration<ILdapRule> rules = lpm.getRules(IPublisherProcessor.PROP_LOCAL_CRL);
if (rules != null && rules.hasMoreElements()) {
if (publishError != null) {
@@ -501,7 +501,7 @@ public class UpdateCRL extends CMSServlet {
}
} catch (EBaseException e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString()));
- if ((lpm != null) && lpm.enabled() && (e instanceof ELdapException)) {
+ if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) {
header.addStringValue("crlPublished", "Failure");
header.addStringValue("error", e.toString(locale));
} else {
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateDir.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateDir.java
index a662f8e7bf9c7658a97c4467c024279a7ec93746..079eaf15a66a630950c911ea0a557650af8274b5 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateDir.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateDir.java
@@ -29,9 +29,6 @@ import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import netscape.security.x509.X509CRLImpl;
-import netscape.security.x509.X509CertImpl;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.AuthzToken;
@@ -58,6 +55,9 @@ import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.common.CMSTemplateParams;
import com.netscape.cms.servlet.common.ECMSGWException;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+
/**
* Update the configured LDAP server with specified objects
*
@@ -176,8 +176,8 @@ public class UpdateDir extends CMSServlet {
try {
String crlIssuingPointId = req.getParameter("crlIssuingPoint");
- if (mPublisherProcessor == null ||
- !mPublisherProcessor.enabled())
+ if (mPublisherProcessor == null || (!mPublisherProcessor.isCertPublishingEnabled()
+ && !mPublisherProcessor.isCRLPublishingEnabled()))
throw new ECMSGWException(CMS.getUserMessage("CMS_GW_NO_PUB_MODULE"));
String[] updateValue = new String[updateName.length];
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
index 30c07d1c1e0b4a34ae5d35090355b4c032f8dad4..744f9347265fb89491e2673151ab9aac9ab8a271 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
@@ -34,37 +34,6 @@ import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import netscape.ldap.LDAPAttribute;
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPEntry;
-import netscape.security.pkcs.PKCS10;
-import netscape.security.pkcs.PKCS10Attribute;
-import netscape.security.pkcs.PKCS10Attributes;
-import netscape.security.util.ObjectIdentifier;
-import netscape.security.x509.AVA;
-import netscape.security.x509.CertAttrSet;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateVersion;
-import netscape.security.x509.CertificateX509Key;
-import netscape.security.x509.DNSName;
-import netscape.security.x509.Extension;
-import netscape.security.x509.GeneralName;
-import netscape.security.x509.GeneralNameInterface;
-import netscape.security.x509.GeneralNames;
-import netscape.security.x509.IPAddressName;
-import netscape.security.x509.KeyUsageExtension;
-import netscape.security.x509.OIDMap;
-import netscape.security.x509.RDN;
-import netscape.security.x509.SubjectAlternativeNameExtension;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X500NameAttrMap;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509Key;
-
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.NoSuchTokenException;
import org.mozilla.jss.asn1.ANY;
@@ -122,6 +91,37 @@ import com.netscape.cms.servlet.profile.SSLClientCertProvider;
import com.netscape.cmsutil.scep.CRSPKIMessage;
import com.netscape.cmsutil.util.Utils;
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS10Attribute;
+import netscape.security.pkcs.PKCS10Attributes;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AVA;
+import netscape.security.x509.CertAttrSet;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.DNSName;
+import netscape.security.x509.Extension;
+import netscape.security.x509.GeneralName;
+import netscape.security.x509.GeneralNameInterface;
+import netscape.security.x509.GeneralNames;
+import netscape.security.x509.IPAddressName;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.OIDMap;
+import netscape.security.x509.RDN;
+import netscape.security.x509.SubjectAlternativeNameExtension;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X500NameAttrMap;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
/**
* This servlet deals with PKCS#10-based certificate requests from
* CRS, now called SCEP, and defined at:
@@ -1057,7 +1057,7 @@ public class CRSEnrollment extends HttpServlet {
boolean result = false;
IPublisherProcessor ldapPub = mAuthority.getPublisherProcessor();
- if (ldapPub == null || !ldapPub.enabled()) {
+ if (ldapPub == null || !ldapPub.isCertPublishingEnabled()) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_CREATE_ENTRY_FROM_CEP"));
return result;
diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java
index 7f30c8458c85c242f2230d625466ebf68b48c3b1..885bb35c502d2aeb60fe6259a522514beb64b3cb 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CrossCertPairSubsystem.java
@@ -400,7 +400,7 @@ public class CrossCertPairSubsystem implements ICrossCertPairSubsystem {
LDAPConnection conn = null;
if ((mPublisherProcessor == null) ||
- !mPublisherProcessor.enabled())
+ !mPublisherProcessor.isCertPublishingEnabled())
return;
try {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java b/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java
index 79131244a8b292e43767985c1f6664c38339cd1e..3d4f75466dcb57d6a877401ff02724647874a07b 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java
@@ -21,8 +21,6 @@ import java.math.BigInteger;
import java.security.cert.Certificate;
import java.util.Hashtable;
-import netscape.security.x509.X509CertImpl;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authority.IAuthority;
import com.netscape.certsrv.base.EBaseException;
@@ -41,6 +39,8 @@ import com.netscape.certsrv.request.IRequestListener;
import com.netscape.certsrv.request.RequestId;
import com.netscape.cmscore.dbs.CertRecord;
+import netscape.security.x509.X509CertImpl;
+
public class LdapRequestListener implements IRequestListener {
private boolean mInited = false;
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldap/PublisherProcessor.java b/base/server/cmscore/src/com/netscape/cmscore/ldap/PublisherProcessor.java
index 4397dc255d63ba470cf9163bdceff23d976a2c45..b90807d37b0a54c8f92a8ad15a18f0bc2ff0708c 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldap/PublisherProcessor.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldap/PublisherProcessor.java
@@ -833,7 +833,7 @@ public class PublisherProcessor implements
boolean error = false;
StringBuffer errorRule = new StringBuffer();
- if (!enabled())
+ if (!isCertPublishingEnabled())
return;
CMS.debug("PublishProcessor::publishCACert");
@@ -903,7 +903,7 @@ public class PublisherProcessor implements
boolean error = false;
StringBuffer errorRule = new StringBuffer();
- if (!enabled())
+ if (!isCertPublishingEnabled())
return;
// get mapper and publisher for cert type.
@@ -968,7 +968,7 @@ public class PublisherProcessor implements
throws ELdapException {
String errorRule = "";
- if (!enabled())
+ if (!isCertPublishingEnabled())
return;
CMS.debug("PublisherProcessor: in publishXCertPair()");
@@ -1030,7 +1030,7 @@ public class PublisherProcessor implements
StringBuffer errorRule = new StringBuffer();
CMS.debug("In PublisherProcessor::publishCert");
- if (!enabled())
+ if (!isCertPublishingEnabled())
return;
// get mapper and publisher for cert type.
@@ -1087,7 +1087,7 @@ public class PublisherProcessor implements
boolean error = false;
StringBuffer errorRule = new StringBuffer();
- if (!enabled())
+ if (!isCertPublishingEnabled())
return;
// get mapper and publisher for cert type.
@@ -1148,13 +1148,14 @@ public class PublisherProcessor implements
* publishes a crl by mapping the issuer name in the crl to an entry
* and publishing it there. entry must be a certificate authority.
* Note that this is used by cmsgateway/cert/UpdateDir.java
+ * @throws ELdapException
*/
public void publishCRL(X509CRLImpl crl, String crlIssuingPointId)
throws ELdapException {
boolean error = false;
String errorRule = "";
- if (!enabled())
+ if (!isCRLPublishingEnabled())
return;
ILdapMapper mapper = null;
ILdapPublisher publisher = null;
@@ -1249,7 +1250,7 @@ public class PublisherProcessor implements
boolean error = false;
String errorRule = "";
- if (!enabled())
+ if (!isCRLPublishingEnabled())
return;
// get mapper and publisher for cert type.
Enumeration<ILdapRule> rules = getRules(PROP_LOCAL_CRL);
@@ -1302,7 +1303,7 @@ public class PublisherProcessor implements
private void publishNow(ILdapMapper mapper, ILdapPublisher publisher,
IRequest r, Object obj) throws ELdapException {
- if (!enabled())
+ if (!isCertPublishingEnabled())
return;
CMS.debug("PublisherProcessor: in publishNow()");
LDAPConnection conn = null;
@@ -1365,7 +1366,7 @@ public class PublisherProcessor implements
// for crosscerts
private void publishNow(ILdapMapper mapper, ILdapPublisher publisher,
IRequest r, byte[] bytes) throws EBaseException {
- if (!enabled())
+ if (!isCertPublishingEnabled())
return;
CMS.debug("PublisherProcessor: in publishNow() for xcerts");
@@ -1414,7 +1415,7 @@ public class PublisherProcessor implements
private void unpublishNow(ILdapMapper mapper, ILdapPublisher publisher,
IRequest r, Object obj) throws ELdapException {
- if (!enabled())
+ if (!isCertPublishingEnabled())
return;
LDAPConnection conn = null;
@@ -1452,13 +1453,28 @@ public class PublisherProcessor implements
}
}
- public boolean enabled() {
+ @Override
+ public boolean isCertPublishingEnabled() {
+ if (!mInited) return false;
try {
- if (mInited)
- return mConfig.getBoolean(PROP_ENABLE, false);
- else
- return false;
+ if (!mConfig.getBoolean(PROP_ENABLE, false)) return false;
+ return mConfig.getBoolean(PROP_CERT_ENABLE, true);
} catch (EBaseException e) {
+ // this should never happen
+ CMS.debug("Error getting publishing config: " + e);
+ return false;
+ }
+ }
+
+ @Override
+ public boolean isCRLPublishingEnabled() {
+ if (!mInited) return false;
+ try {
+ if (!mConfig.getBoolean(PROP_ENABLE, false)) return false;
+ return mConfig.getBoolean(PROP_CRL_ENABLE, true);
+ } catch (EBaseException e) {
+ // this should never happen
+ CMS.debug("Error getting publishing config: " + e);
return false;
}
}
--
2.7.3
_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel
