Bug 457983 - CA certificate enrollment profile framework allows user-specified extensions by default
CA certificate enrollment profile framework allows user-specified extensions ...
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Profile (Show other bugs)
1.0
All Linux
high Severity high
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
: 465386 (view as bug list)
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2008-08-05 17:57 EDT by Christina Fu
Modified: 2015-01-04 18:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:29:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
changed default to not allow user supplied extension values in cert requests (1.92 KB, text/plain)
2008-08-05 17:59 EDT, Christina Fu
no flags Details

  None (edit)
Description Christina Fu 2008-08-05 17:57:31 EDT
Description of problem:
The CA certificate enrollment profile framework currently allows user-specified extensions by default without constraint check.  This is not correct.  By default, the user-specified extension values should be ignored unless the OID of the specific extension is enabled with UserExtensionDefault.
Comment 1 Christina Fu 2008-08-05 17:59:21 EDT
Created attachment 313491 [details]
changed default to not allow user supplied extension values in cert requests

jmagne please review.
Comment 2 Jack Magne 2008-08-06 13:10:52 EDT
attachment (id=313491) jmagne+
Comment 3 Christina Fu 2008-08-06 14:08:24 EDT
$ svn update src/com/netscape/cms/profile/common/EnrollProfile.java src/com/netscape/cms/profile/def/UserExtensionDefault.java
At revision 73.
At revision 73.
$ svn commit src/com/netscape/cms/profile/common/EnrollProfile.java src/com/netscape/cms/profile/def/UserExtensionDefault.java
Sending        src/com/netscape/cms/profile/common/EnrollProfile.java
Sending        src/com/netscape/cms/profile/def/UserExtensionDefault.java
Transmitting file data ..
Committed revision 74.
$ pwd
.../dogtag/src4/pki/base/common
Comment 4 Chandrasekar Kannan 2008-08-26 20:29:50 EDT
Bug already MODIFIED. setting target CS8.0 and marking screened+
Comment 8 Chandrasekar Kannan 2009-06-23 09:05:46 EDT
Jenny - I have some tests documented in this directory for this purpose. 

https://svn.devel.redhat.com/repos/pki-tests/trunk/testframework/testcases/functional/profile_integrity/

their README is https://svn.devel.redhat.com/repos/pki-tests/trunk/testframework/testcases/functional/profile_integrity/README

they are mostly tests for userSuppliedExtension in cert requests. I believe it will suffice for this bug.
Comment 9 Jenny Galipeau 2009-06-23 10:38:01 EDT
The following scenarios verified with modifying Agent-Authenticated Server Certificate Enrollment profile

1. Request with no user supplied extensions
   success (both pem and crmf)
2. Request with 1 user supplied extension with valid value that matched constraint
   success (both pem and crmf)
3. Request with 1 user supplied extension with invalid values with contstraint
   rejected (both pem and crmf)
4. Request with 1 valid extension with valid value not in profile
   pem rejected | crmf successful
5. Request with 1 valid extension with invalid value not in profile
   rejected (both pem and crmf)
6. Request with multiple valid extensions with valid values that match the constraints in the profile
   success (both pem and crmf)
7. Request with multiple valid extensions that are in the profile but one extension does not meet its constraints
   rejected (both pem and crmf)
Comment 10 Jenny Galipeau 2009-06-25 11:59:36 EDT
*** Bug 465386 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.