Bug 480714

Summary: Renewal: Revoked expired cert which is in the renew grace period is renewed.
Product: [Retired] Dogtag Certificate System Reporter: Asha Akkiangady <aakkiang>
Component: Certificate ManagerAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: alee, awnuk, benl, cfu
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:31:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
patch to fix none

Description Asha Akkiangady 2009-01-20 00:56:14 UTC 
Description of problem:
A cert which is expired and revoked, still in the renew grace period can be renewed.

Version-Release number of selected component (if applicable):
CS 8.0

How reproducible:
Always

Steps to Reproduce:
1. Create a cert which is expired and revoked.
Step A: Turn your system clock to 40 days back from today 
Step B: Set caDirUserCert.cfg profile to issue a cert for 15 days, restart ca. Step C: Issue a directory authenticated user cert through "Directory-Authenticated User Dual-Use Certificate Enrollment" profile.
Step D: Revoke the cert.
Step E: Set the system clock back to today.
2. Renew the cert.

  
Actual results:
Cert gets renewed.

Expected results:
Error message: Cannot renew a revoked certificate.

Additional info:
Comment 1 Christina Fu 2009-04-06 23:06:32 UTC 
Please supply profile that you tested with.

Renewal grace period works with the following parameters:

policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default
Comment 2 Asha Akkiangady 2009-04-07 16:31:12 UTC 
Yes, the renewal grace period has the default values.

policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default
Comment 3 Ade Lee 2009-05-29 20:10:22 UTC 
Created attachment 345953 [details]
patch to fix

cfu, please review

one line change to take into account expired-revoked certs!
Comment 4 Christina Fu 2009-05-29 20:17:52 UTC 
cfu+
Comment 5 Ade Lee 2009-05-29 20:32:26 UTC 
[builder@oliver base]$ svn ci -m "Bugzilla Bug #480714 and #481659 - renewal fixes for expired_revoked certs and prevent key archival for renewals" common/
Sending        common/src/com/netscape/cms/profile/common/CAEnrollProfile.java
Sending        common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
Transmitting file data ..
Committed revision 503.
[builder@oliver base]$ cd ../dogtag/
[builder@oliver dogtag]$ svn ci -m "Bugzilla Bug #480714 and #481659 - renewal fixes for expired_revoked certs and prevent key archival for renewals" common/
Sending        common/pki-common.spec
Transmitting file data .
Committed revision 504.
Comment 6 Asha Akkiangady 2009-06-01 22:15:05 UTC 
Verified.
When tried to renew a revoked-expired cert which is in the renewal grace period getting the error message: Sorry, your request is not submitted. The reason is "Certificate serial number 29 to be renewed is revoked. Cannot renew a revoked certificate".