Bug 458499

Summary: subject name uniqueness plugin for profiles rejects requests even if existing certs are revoked or expired
Product: [Retired] Dogtag Certificate System Reporter: Ade Lee <alee>
Component: ProfileAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: benl, cfu, dlackey, jgalipea, mharmsen, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:29:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
patch to fix
none
patch version 2
none
patch v3 none

Description Ade Lee 2008-08-08 21:36:25 UTC 
Description of problem:
The subject name uniqueness plugin should not allow duplicate names if the existing certificate has been revoked or has expired.  This behavior is the 
default behavior in Policies. 

The default behavior in policies needs to be implemented.  The one exception is that duplicate names should not be allowed when the certificate is on hold - because it may be subsequently restored.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Enable unique subject name plugin using profiles.
2. Enroll a cert.
3. Request another cert with the same subject name.  This will fail.
4. Revoke the first cert - for any reason other than on-hold
5. Request a cert with the same subject name.  This will (and should not) fail.
  
Actual results:


Expected results:


Additional info:
Comment 1 Ade Lee 2008-08-08 21:42:46 UTC 
Created attachment 313852 [details]
patch to fix

cfu please review.
Comment 2 Ade Lee 2008-08-13 16:53:33 UTC 
Created attachment 314224 [details]
patch version 2

New patch - based on comments in review
cfu - please ack.
Comment 3 Ade Lee 2008-08-13 19:19:36 UTC 
Created attachment 314239 [details]
patch v3

added debug statements and description pre cfu request.
cfu please ack.
Comment 4 Ade Lee 2008-08-13 19:20:28 UTC 
Copying Deon:

Deon - doc changes will be needed for this for 8.0.

The subject uniqueness constraint has been enhanced, and has a new parameter as
detailed below:

 Rules are as follows: 
If the subject name is not unique, then the request will be rejected unless:
* 1. the certificate is expired or expired_revoked
* 2. the certificate is revoked and the revocation reason is not "on hold"
* 3. the keyUsageExtension bits are different and
enableKeyUsageExtensionChecking is set to true (default)
Comment 5 Christina Fu 2008-08-13 21:49:04 UTC 
(In reply to comment #3)
> Created an attachment (id=314239) [details]
> patch v3
> 
> added debug statements and description pre cfu request.
> cfu please ack.

cfu+
Comment 6 Ade Lee 2008-08-14 14:52:50 UTC 
Sending        base/common/src/UserMessages_en.properties
Sending        base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java
Sending        linux/common/pki-common.spec
Transmitting file data ...
Committed revision 109.
Comment 7 Chandrasekar Kannan 2008-08-27 00:30:03 UTC 
Bug already MODIFIED. setting target CS8.0 and marking screened+
Comment 10 Jenny Severance 2009-06-29 17:21:39 UTC 
Verified:

1. Created user profile with enable unique subject name constraint.
2. Requested certificate.
3. Request another cert with the same subject name.
4. Approved the first request.
4. Attempt to approve second request - Failed constraint.
5. Revoked first certificate with reason on Hold.
6. Attempt to approve second request - Failed constraint.
7. Took first certificate off hold and revoked with other reason.
8. Attempt to approve second request was successful.