Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 314224 Details for
Bug 458499
subject name uniqueness plugin for profiles rejects requests even if existing certs are revoked or expired
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch version 2
patch.dogtag2 (text/plain), 7.60 KB, created by
Ade Lee
on 2008-08-13 16:53:33 UTC
(
hide
)
Description:
patch version 2
Filename:
MIME Type:
Creator:
Ade Lee
Created:
2008-08-13 16:53:33 UTC
Size:
7.60 KB
patch
obsolete
>Index: pki/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java >=================================================================== >--- pki/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java (revision 108) >+++ pki/base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java (working copy) >@@ -41,7 +41,12 @@ > */ > public class UniqueSubjectNameConstraint extends EnrollConstraint { > >+ public static final String CONFIG_KEY_USAGE_EXTENSION_CHECKING = >+ "enableKeyUsageExtensionChecking"; >+ private boolean mKeyUsageExtensionChecking = true; >+ > public UniqueSubjectNameConstraint() { >+ addConfigName(CONFIG_KEY_USAGE_EXTENSION_CHECKING); > } > > public void init(IProfile profile, IConfigStore config) >@@ -50,6 +55,10 @@ > } > > public IDescriptor getConfigDescriptor(Locale locale, String name) { >+ if (name.equals(CONFIG_KEY_USAGE_EXTENSION_CHECKING)) { >+ return new Descriptor(IDescriptor.BOOLEAN, null, "true", >+ CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING")); >+ } > return null; > } > >@@ -57,6 +66,62 @@ > return null; > } > >+ /** >+ * Checks if the key extension in the issued certificate >+ * is the same as the one in the certificate template. >+ */ >+ private boolean sameKeyUsageExtension(ICertRecord rec, >+ X509CertInfo certInfo) { >+ X509CertImpl impl = rec.getCertificate(); >+ boolean bits[] = impl.getKeyUsage(); >+ >+ CertificateExtensions extensions = null; >+ >+ try { >+ extensions = (CertificateExtensions) >+ certInfo.get(X509CertInfo.EXTENSIONS); >+ } catch (IOException e) { >+ } catch (java.security.cert.CertificateException e) { >+ } >+ KeyUsageExtension ext = null; >+ >+ if (extensions == null) { >+ if (bits != null) >+ return false; >+ } else { >+ try { >+ ext = (KeyUsageExtension) extensions.get( >+ KeyUsageExtension.NAME); >+ } catch (IOException e) { >+ // extension isn't there. >+ } >+ >+ if (ext == null) { >+ if (bits != null) >+ return false; >+ } else { >+ boolean[] InfoBits = ext.getBits(); >+ >+ if (InfoBits == null) { >+ if (bits != null) >+ return false; >+ } else { >+ if (bits == null) >+ return false; >+ if (InfoBits.length != bits.length) { >+ return false; >+ } >+ for (int i = 0; i < InfoBits.length; i++) { >+ if (InfoBits[i] != bits[i]) >+ return false; >+ } >+ } >+ } >+ } >+ return true; >+ } >+ >+ > /** > * Validates the request. The request is not modified > * during the validation. >@@ -66,7 +131,8 @@ > CMS.debug("UniqueSubjectNameConstraint: validate start"); > CertificateSubjectName sn = null; > IAuthority authority = (IAuthority)CMS.getSubsystem("ca"); >- >+ >+ mKeyUsageExtensionChecking = getConfigBoolean(CONFIG_KEY_USAGE_EXTENSION_CHECKING); > ICertificateRepository certdb = null; > if (authority != null && authority instanceof ICertificateAuthority) { > ICertificateAuthority ca = (ICertificateAuthority)authority; >@@ -95,7 +161,42 @@ > } catch (EBaseException e) { > CMS.debug("UniqueSubjectNameConstraint exception: "+e.toString()); > } >- if (sameSubjRecords != null && sameSubjRecords.hasMoreElements()) { >+ while (sameSubjRecords != null && sameSubjRecords.hasMoreElements()) { >+ ICertRecord rec = (ICertRecord) sameSubjRecords.nextElement(); >+ String status = rec.getStatus(); >+ >+ IRevocationInfo revocationInfo = rec.getRevocationInfo(); >+ RevocationReason reason = null; >+ >+ if (revocationInfo != null) { >+ CRLExtensions crlExts = revocationInfo.getCRLEntryExtensions(); >+ >+ if (crlExts != null) { >+ Enumeration enumx = crlExts.getElements(); >+ >+ while (enumx.hasMoreElements()) { >+ Extension ext = (Extension) enumx.nextElement(); >+ >+ if (ext instanceof CRLReasonExtension) { >+ reason = ((CRLReasonExtension) ext).getReason(); >+ } >+ } >+ } >+ } >+ >+ if (status.equals(ICertRecord.STATUS_EXPIRED) || status.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { >+ continue; >+ } >+ >+ if (status.equals(ICertRecord.STATUS_REVOKED) && reason != null && >+ (! reason.equals(RevocationReason.CERTIFICATE_HOLD))) { >+ continue; >+ } >+ >+ if (mKeyUsageExtensionChecking && !sameKeyUsageExtension(rec, info)) { >+ continue; >+ } >+ > throw new ERejectException( > CMS.getUserMessage(getLocale(request), > "CMS_PROFILE_SUBJECT_NAME_NOT_UNIQUE", >@@ -105,8 +206,12 @@ > } > > public String getText(Locale locale) { >+ String params[] = { >+ getConfig(CONFIG_KEY_USAGE_EXTENSION_CHECKING) >+ }; > return CMS.getUserMessage(locale, >- "CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT"); >+ "CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT", >+ params); > } > > public boolean isApplicable(IPolicyDefault def) { > >Index: pki/base/common/src/UserMessages_en.properties >=================================================================== >--- pki/base/common/src/UserMessages_en.properties (revision 108) >+++ pki/base/common/src/UserMessages_en.properties (working copy) >@@ -740,6 +740,7 @@ > CMS_PROFILE_ENCODING_ERROR=Error in BER encoding > CMS_PROFILE_REVOKE_DUPKEY_CERT=Revoke certificate with duplicate key > CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL=Allow renewal of certification with same keys >+CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING=Allow duplicate subject names with different key usage for agent approved requests > CMS_PROFILE_INTERNAL_ERROR=Profile internal error: {0} > CMS_PROFILE_DENY_OPERATION=Not authorized to do this operation. > CMS_PROFILE_DELETE_ENABLEPROFILE=Cannot delete enabled profile: {0} > >Index: pki/linux/common/pki-common.spec >=================================================================== >--- pki/linux/common/pki-common.spec (revision 108) >+++ pki/linux/common/pki-common.spec (working copy) >@@ -33,7 +33,7 @@ > ## Package Header Definitions > %define base_name %{base_prefix}-%{base_component} > %define base_version 1.0.0 >-%define base_release 16 >+%define base_release 17 > %define base_group System Environment/Base > %define base_vendor Red Hat, Inc. > %define base_license GPLv2 with exceptions >@@ -298,6 +298,8 @@ > ############################################################################### > > %changelog >+* Wed Aug 13 2008 Ade Lee <alee@redhat.com> 1.0.0-17 >+- Fix for Bug 458499: UniqueSubjectName plugin for plugins does not account for revoked certs > * Fri Aug 8 2008 Andrew Wnuk <awnuk@redhat.com> 1.0.0-16 > - Fix for Bug 453834. > * Thu Aug 7 2008 Jack Magne <jmagne@redhat.com> 1.0.0-15 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=314224">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 458499
:
313852
|
314224
|
314239