Don't try to revoke a cert that is already revoked.

We get a bit of an unusual error message back from dogtag when trying to revoke a revoked cert so check its status first.
2025-02-25 18:55:28 -06:00 · 2010-02-26 12:30:01 -05:00 · 2010-02-26 12:30:01 -05:00 · 0700f4d7ca
commit 0700f4d7ca
parent fc13134455
2 changed files with 22 additions and 5 deletions
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@ -286,12 +286,19 @@ class cert_request(VirtualCommand):
        if 'usercertificate' in service:
            serial = get_serial(base64.b64encode(service['usercertificate'][0]))
            # revoke the certificate and remove it from the service
-            # entry before proceeding
+            # entry before proceeding. First we retrieve the certificate to
+            # see if it is already revoked, if not then we revoke it.
+            try:
+                result = api.Command['cert_get'](unicode(serial))['result']
+                if 'revocation_reason' not in result:
                    try:
                        api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
                    except errors.NotImplementedError:
                        # some CA's might not implement revoke
                        pass
+            except errors.NotImplementedError:
+                # some CA's might not implement get
+                pass
            api.Command['service_mod'](principal, usercertificate=None)

        # Request the certificate
@ -367,6 +374,10 @@ class cert_get(VirtualCommand):
            label=_('Subject'),
            flags=['no_create', 'no_update', 'no_search'],
        ),
+        Str('revocation_reason?',
+            label=_('Revocation reason'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
    )

    operation="retrieve certificate"
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@ -199,9 +199,15 @@ class service_del(LDAPDelete):
            if cert:
                serial = unicode(get_serial(cert))
                try:
-                    self.api.Command['cert_revoke'](serial, revocation_reason=5)
+                    result = api.Command['cert_get'](unicode(serial))['result']
+                    if 'revocation_reason' not in result:
+                        try:
+                            api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
                        except errors.NotImplementedError:
-                    # selfsign CA doesn't do revocation
+                            # some CA's might not implement revoke
+                            pass
+                except errors.NotImplementedError:
+                    # some CA's might not implement revoke
                    pass
        return dn