// Check that the admin has revocation rights.
if (!authorizationSession.isAuthorizedNoLog(admin, AccessRulesConstants.REGULAR_REVOKEENDENTITY)) {
Authorizer.throwAuthorizationException(admin, AccessRulesConstants.REGULAR_REVOKEENDENTITY, null);
}
// To be fully backwards compatible we just use the first fingerprint found..
final CertificateInfo info = certificateStoreSession.findFirstCertificateInfo(issuerdn, certserno);
if (info == null) {
final String msg = intres.getLocalizedMessage("ra.errorfindentitycert", issuerdn, certserno.toString(16));
logSession.log(admin, LogConstants.INTERNALCAID, LogConstants.MODULE_RA, new Date(), null, null, LogConstants.EVENT_INFO_REVOKEDENDENTITY, msg);
throw new FinderException(msg);
}
final int caid = info.getIssuerDN().hashCode();
final String username = info.getUsername();
assertAuthorizedToCA(admin, caid, username, LogConstants.EVENT_ERROR_REVOKEDENDENTITY);
int certificateProfileId = info.getCertificateProfileId();
String userDataDN = info.getSubjectDN();
final CertReqHistory certReqHistory = certificateStoreSession.getCertReqHistory(admin, certserno, issuerdn);
UserData data = null;
if (certReqHistory == null || XkmsConfiguration.getEnabled()) {
// We could use userdata later, so try to find it
data = UserData.findByUsername(entityManager, username);
}
int endEntityProfileId = -1;
if (certReqHistory != null) {
// Get the EEP that was used in the original issuance, if we can find it
endEntityProfileId = certReqHistory.getUserDataVO().getEndEntityProfileId();
// Republish with the same user DN that was used in the original publication, if we can find it
userDataDN = certReqHistory.getUserDataVO().getDN();
// If for some reason the certificate profile id was not set in the certificate data, try to get it from the certreq history
if (certificateProfileId == SecConst.CERTPROFILE_NO_PROFILE) {
certificateProfileId = certReqHistory.getUserDataVO().getCertificateProfileId();
}
} else if (data != null) {
// Get the EEP that is currently used as a fallback, if we can find it
endEntityProfileId = data.getEndEntityProfileId();
// Republish with the same user DN that is currently used as a fallback, if we can find it
userDataDN = data.getSubjectDN();
// If for some reason the certificate profile id was not set in the certificate data, try to get it from current userdata
if (certificateProfileId == SecConst.CERTPROFILE_NO_PROFILE) {
certificateProfileId = data.getCertificateProfileId();
}
}
if (endEntityProfileId != -1) {
// We can only perform this check if we have a trail of what eep was used..
if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
assertAuthorizedToEndEntityProfile(admin, endEntityProfileId, AccessRulesConstants.REVOKE_RIGHTS, caid, username, LogConstants.EVENT_ERROR_REVOKEDENDENTITY);
}
}
// Check that unrevocation is not done on anything that can not be unrevoked
if (reason == RevokedCertInfo.NOT_REVOKED || reason == RevokedCertInfo.REVOCATION_REASON_REMOVEFROMCRL) {
if (info.getRevocationReason() != RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD) {
final String msg = intres.getLocalizedMessage("ra.errorunrevokenotonhold", issuerdn, certserno.toString(16));
logSession.log(admin, caid, LogConstants.MODULE_RA, new Date(), username, null, LogConstants.EVENT_INFO_REVOKEDENDENTITY, msg);
throw new AlreadyRevokedException(msg);
}
} else {
if (info.getRevocationReason() != RevokedCertInfo.NOT_REVOKED) {
final String msg = intres.getLocalizedMessage("ra.errorrevocationexists");
logSession.log(admin, caid, LogConstants.MODULE_RA, new Date(), username, null, LogConstants.EVENT_INFO_REVOKEDENDENTITY, msg);
throw new AlreadyRevokedException(msg);
}
}