Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 457983

Summary: CA certificate enrollment profile framework allows user-specified extensions by default
Product: [Retired] Dogtag Certificate System Reporter: Christina Fu <cfu>
Component: ProfileAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.0CC: benl, jgalipea, jmagne, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:29:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
changed default to not allow user supplied extension values in cert requests none

Description Christina Fu 2008-08-05 21:57:31 UTC 
Description of problem:
The CA certificate enrollment profile framework currently allows user-specified extensions by default without constraint check.  This is not correct.  By default, the user-specified extension values should be ignored unless the OID of the specific extension is enabled with UserExtensionDefault.
Comment 1 Christina Fu 2008-08-05 21:59:21 UTC 
Created attachment 313491 [details]
changed default to not allow user supplied extension values in cert requests

jmagne please review.
Comment 2 Jack Magne 2008-08-06 17:10:52 UTC 
attachment (id=313491) jmagne+
Comment 3 Christina Fu 2008-08-06 18:08:24 UTC 
$ svn update src/com/netscape/cms/profile/common/EnrollProfile.java src/com/netscape/cms/profile/def/UserExtensionDefault.java
At revision 73.
At revision 73.
$ svn commit src/com/netscape/cms/profile/common/EnrollProfile.java src/com/netscape/cms/profile/def/UserExtensionDefault.java
Sending        src/com/netscape/cms/profile/common/EnrollProfile.java
Sending        src/com/netscape/cms/profile/def/UserExtensionDefault.java
Transmitting file data ..
Committed revision 74.
$ pwd
.../dogtag/src4/pki/base/common
Comment 4 Chandrasekar Kannan 2008-08-27 00:29:50 UTC 
Bug already MODIFIED. setting target CS8.0 and marking screened+
Comment 8 Chandrasekar Kannan 2009-06-23 13:05:46 UTC 
Jenny - I have some tests documented in this directory for this purpose. 

https://svn.devel.redhat.com/repos/pki-tests/trunk/testframework/testcases/functional/profile_integrity/

their README is https://svn.devel.redhat.com/repos/pki-tests/trunk/testframework/testcases/functional/profile_integrity/README

they are mostly tests for userSuppliedExtension in cert requests. I believe it will suffice for this bug.
Comment 9 Jenny Severance 2009-06-23 14:38:01 UTC 
The following scenarios verified with modifying Agent-Authenticated Server Certificate Enrollment profile

1. Request with no user supplied extensions
   success (both pem and crmf)
2. Request with 1 user supplied extension with valid value that matched constraint
   success (both pem and crmf)
3. Request with 1 user supplied extension with invalid values with contstraint
   rejected (both pem and crmf)
4. Request with 1 valid extension with valid value not in profile
   pem rejected | crmf successful
5. Request with 1 valid extension with invalid value not in profile
   rejected (both pem and crmf)
6. Request with multiple valid extensions with valid values that match the constraints in the profile
   success (both pem and crmf)
7. Request with multiple valid extensions that are in the profile but one extension does not meet its constraints
   rejected (both pem and crmf)
Comment 10 Jenny Severance 2009-06-25 15:59:36 UTC 
*** Bug 465386 has been marked as a duplicate of this bug. ***