merge identity name check in NEW/REVOKE
Change-Id: I845827438b63e8dcdc955dcc89a0d6634e6bfc79
diff --git a/src/ca-module.cpp b/src/ca-module.cpp
index 0f1d800..8cd8475 100644
--- a/src/ca-module.cpp
+++ b/src/ca-module.cpp
@@ -282,6 +282,25 @@
"Unrecognized self-signed certificate."));
return;
}
+
+ // verify identity name
+ if (!m_config.m_caItem.m_caPrefix.isPrefixOf(clientCert->getIdentity())
+ || !security::v2::Certificate::isValidName(clientCert->getName())
+ || clientCert->getIdentity().size() <= m_config.m_caItem.m_caPrefix.size()) {
+ _LOG_ERROR("An invalid certificate name is being requested " << clientCert->getName());
+ m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::NAME_NOT_ALLOWED,
+ "An invalid certificate name is being requested."));
+ return;
+ }
+ if (m_config.m_caItem.m_maxSuffixLength) {
+ if (clientCert->getIdentity().size() > m_config.m_caItem.m_caPrefix.size() + *m_config.m_caItem.m_maxSuffixLength) {
+ _LOG_ERROR("An invalid certificate name is being requested " << clientCert->getName());
+ m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::NAME_NOT_ALLOWED,
+ "An invalid certificate name is being requested."));
+ return;
+ }
+ }
+
if (requestType == RequestType::NEW) {
// check the validity period
auto expectedPeriod = clientCert->getValidityPeriod().getPeriod();
@@ -294,23 +313,7 @@
"An invalid validity period is being requested."));
return;
}
- // verify identity name
- if (!m_config.m_caItem.m_caPrefix.isPrefixOf(clientCert->getIdentity())
- || !security::v2::Certificate::isValidName(clientCert->getName())
- || clientCert->getIdentity().size() <= m_config.m_caItem.m_caPrefix.size()) {
- _LOG_ERROR("An invalid certificate name is being requested " << clientCert->getName());
- m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::NAME_NOT_ALLOWED,
- "An invalid certificate name is being requested."));
- return;
- }
- if (m_config.m_caItem.m_maxSuffixLength) {
- if (clientCert->getIdentity().size() > m_config.m_caItem.m_caPrefix.size() + *m_config.m_caItem.m_maxSuffixLength) {
- _LOG_ERROR("An invalid certificate name is being requested " << clientCert->getName());
- m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::NAME_NOT_ALLOWED,
- "An invalid certificate name is being requested."));
- return;
- }
- }
+
// verify signature
if (!security::verifySignature(*clientCert, *clientCert)) {
_LOG_ERROR("Invalid signature in the self-signed certificate.");
@@ -326,23 +329,7 @@
}
}
else if (requestType == RequestType::REVOKE) {
- // verify identity name
- if (!m_config.m_caItem.m_caPrefix.isPrefixOf(clientCert->getIdentity())
- || !security::v2::Certificate::isValidName(clientCert->getName())
- || clientCert->getIdentity().size() <= m_config.m_caItem.m_caPrefix.size()) {
- _LOG_ERROR("An invalid certificate name is being requested " << clientCert->getName());
- m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::NAME_NOT_ALLOWED,
- "An invalid certificate name is being requested."));
- return;
- }
- if (m_config.m_caItem.m_maxSuffixLength) {
- if (clientCert->getIdentity().size() > m_config.m_caItem.m_caPrefix.size() + *m_config.m_caItem.m_maxSuffixLength) {
- _LOG_ERROR("An invalid certificate name is being requested " << clientCert->getName());
- m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::NAME_NOT_ALLOWED,
- "An invalid certificate name is being requested."));
- return;
- }
- }
+ //verify cert is from this CA
const auto& cert = m_keyChain.getPib().getIdentity(m_config.m_caItem.m_caPrefix).getDefaultKey().getDefaultCertificate();
if (!security::verifySignature(*clientCert, cert)) {
_LOG_ERROR("Invalid signature in the certificate to revoke.");