Re: [Pki-devel] [PATCH] 65 Added cert revocation REST service.
I'm posting some new patches. Please apply in this order: 71, 65-2,
66-2, 72.
On 6/27/2012 2:42 PM, Ade Lee wrote:
1. In revokeCert(), you should throw BadRequestException() or
similar
rather than EBaseException if the cert being revoked is the CA cert, or
if the cert is already revoked. That should show up as a 4XX error.
Fixed. I also added UnauthorizedException.
2. It looks like you do not handle nonces. We need a task to figure
out
how to do this.
https://fedorahosted.org/pki/ticket/213
3. There is still a fair amount of logic that is in the legacy
servlet
and RESTful servlet. I would suggest moving the logic that checks
whether or not the cert should be revoked - ie. is already revoked, or
ca cert already revoked or belongs to different subject or is a system
cert to processor.addCertificateToRevoke() or some similar method. You
can use exceptions/ returns to populate rarg appropriately in the legacy
servlet.
Some cert validation logic has been moved into
validateCertificateToRevoke(). There is an authorization logic that I
left in the servlet/REST service, it should be moved to Tomcat
authentication later.
4. What happens if the request is pending or rejected -- ie. not
completed. How would the client know? Should we be returning some kind
of revocation status object? Or the revocation request itself?
The REST methods now return the request objects which contain the
request status. The CLI will check, if the status is complete it will
show the cert info. Otherwise, it will show the request status.
--
Endi S. Dewata
Attachments:
- pki-edewata-0065-2-Added-cert-revocation-REST-service.patch (text/x-patch — 123.4 KB)