Bug 458499
Summary: | subject name uniqueness plugin for profiles rejects requests even if existing certs are revoked or expired | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Ade Lee <alee> | ||||||||
Component: | Profile | Assignee: | Ade Lee <alee> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 1.0 | CC: | benl, cfu, dlackey, jgalipea, mharmsen, tao | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2009-07-22 23:29:34 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 443788 | ||||||||||
Attachments: |
|
Description
Ade Lee
2008-08-08 21:36:25 UTC
Created attachment 313852 [details]
patch to fix
cfu please review.
Created attachment 314224 [details]
patch version 2
New patch - based on comments in review
cfu - please ack.
Created attachment 314239 [details]
patch v3
added debug statements and description pre cfu request.
cfu please ack.
Copying Deon: Deon - doc changes will be needed for this for 8.0. The subject uniqueness constraint has been enhanced, and has a new parameter as detailed below: Rules are as follows: If the subject name is not unique, then the request will be rejected unless: * 1. the certificate is expired or expired_revoked * 2. the certificate is revoked and the revocation reason is not "on hold" * 3. the keyUsageExtension bits are different and enableKeyUsageExtensionChecking is set to true (default) (In reply to comment #3) > Created an attachment (id=314239) [details] > patch v3 > > added debug statements and description pre cfu request. > cfu please ack. cfu+ Sending base/common/src/UserMessages_en.properties Sending base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java Sending linux/common/pki-common.spec Transmitting file data ... Committed revision 109. Bug already MODIFIED. setting target CS8.0 and marking screened+ Verified: 1. Created user profile with enable unique subject name constraint. 2. Requested certificate. 3. Request another cert with the same subject name. 4. Approved the first request. 4. Attempt to approve second request - Failed constraint. 5. Revoked first certificate with reason on Hold. 6. Attempt to approve second request - Failed constraint. 7. Took first certificate off hold and revoked with other reason. 8. Attempt to approve second request was successful. |