Bug 480255

Summary: User Certificate gets renewed when cert is not in grace period.
Product: [Retired] Dogtag Certificate System Reporter: Asha Akkiangady <aakkiang>
Component: Certificate ManagerAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: awnuk, benl, jgalipea, jmagne, mharmsen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:31:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
calculate the time diff in terms of miliseconds instead of days
none
spec file diff
none
had to resolve to BigInteger none

Description Asha Akkiangady 2009-01-16 00:14:34 UTC 
Description of problem:
User certificate gets renewed when cert has Not After date 31 days from today. (caUserCert.cfg for renewal has graceBefore=30 and graceAfter=30).

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Set CA profile  caDirUserCert.cfg to have validity period 31 days.
(policyset.userCertSet.2.default.params.range=31), restart CA.

2. From the CA enrollment page, enroll for profile "Directory-Authenticated User Dual-Use Certificate Enrollment" with  a valid uid and password, a certificate is generated valid for 31 days.
 
3. Set CA profile caDirUserCert.cfg to have default validity period 180 days.
(policyset.userCertSet.2.default.params.range=180), restart CA.
  
4. From the CA enrollment page, enroll for profile "Directory-Authenticated User Certificate Self-Renew profile", provide user id, password and serial number of the cert.

Actual results:
Certificate gets renewed.

Expected results:
Error message "Request Rejected - Outside of Renewal Grace Period: 30
        days before and 30 days after original cert expiration date".

Additional info:
Same problem is found when renewal is done in other 2 ways (SSLClient and Manual agent approved).
Comment 1 Christina Fu 2009-04-02 18:49:08 UTC 
*** Bug 481373 has been marked as a duplicate of this bug. ***
Comment 2 Christina Fu 2009-04-06 23:04:42 UTC 
Please supply your test profile.  To test grace period, you must have the following parameters in your profile, and have enabled in the policyset list:

policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default

Since I do not see these in your bug report description, I am requesting you to attach your profile so I can take a look.  Thanks.
Comment 3 Asha Akkiangady 2009-04-07 16:35:59 UTC 
Yes, the renewal grace period has the default values as mentioned in the Description of problem above.

policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default
Comment 4 Christina Fu 2009-06-10 16:31:00 UTC 
Created attachment 347253 [details]
calculate the time diff in terms of miliseconds instead of days
Comment 5 Christina Fu 2009-06-10 16:42:57 UTC 
Created attachment 347254 [details]
spec file diff
Comment 6 Matthew Harmsen 2009-06-10 16:44:43 UTC 
attachment (id=347253)
attachment (id=347254)
+mharmsen
Comment 7 Christina Fu 2009-06-10 17:01:08 UTC 
[cfu@jaw common]$ pwd
/home/cfu/dogtag/src0/pki/base/common
[cfu@jaw common]$ svn commit src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
Sending        src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
Transmitting file data .
Committed revision 575.


[cfu@jaw common]$ pwd
/home/cfu/dogtag/src0/pki/dogtag/common
[cfu@jaw common]$ svn commit pki-common.spec
Sending        pki-common.spec
Transmitting file data .
Committed revision 576.
Comment 8 Christina Fu 2009-06-10 20:57:12 UTC 
the fix actually is no good.
Comment 9 Christina Fu 2009-06-10 21:50:44 UTC 
Created attachment 347298 [details]
had to resolve to BigInteger
Comment 10 Jack Magne 2009-06-10 22:00:07 UTC 
Attachment (id=347298) +jmange
Comment 11 Christina Fu 2009-06-10 22:00:55 UTC 
[cfu@jaw constraint]$ svn commit RenewGracePeriodConstraint.java
Sending        RenewGracePeriodConstraint.java
Transmitting file data .
Committed revision 581.
Comment 12 Jenny Severance 2009-06-11 17:07:10 UTC 
Verified:

Sorry, your request has been rejected. The reason is "Request Rejected - Outside of Renewal Grace Period: 30 days before and 30 days after original cert expiration date"