Red Hat Bugzilla – Bug 458499
subject name uniqueness plugin for profiles rejects requests even if existing certs are revoked or expired
Last modified: 2015-01-04 18:33:39 EST
Description of problem:
The subject name uniqueness plugin should not allow duplicate names if the existing certificate has been revoked or has expired. This behavior is the
default behavior in Policies.
The default behavior in policies needs to be implemented. The one exception is that duplicate names should not be allowed when the certificate is on hold - because it may be subsequently restored.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enable unique subject name plugin using profiles.
2. Enroll a cert.
3. Request another cert with the same subject name. This will fail.
4. Revoke the first cert - for any reason other than on-hold
5. Request a cert with the same subject name. This will (and should not) fail.
Created attachment 313852 [details]
patch to fix
cfu please review.
Created attachment 314224 [details]
patch version 2
New patch - based on comments in review
cfu - please ack.
Created attachment 314239 [details]
added debug statements and description pre cfu request.
cfu please ack.
Deon - doc changes will be needed for this for 8.0.
The subject uniqueness constraint has been enhanced, and has a new parameter as
Rules are as follows:
If the subject name is not unique, then the request will be rejected unless:
* 1. the certificate is expired or expired_revoked
* 2. the certificate is revoked and the revocation reason is not "on hold"
* 3. the keyUsageExtension bits are different and
enableKeyUsageExtensionChecking is set to true (default)
(In reply to comment #3)
> Created an attachment (id=314239) [details]
> patch v3
> added debug statements and description pre cfu request.
> cfu please ack.
Transmitting file data ...
Committed revision 109.
Bug already MODIFIED. setting target CS8.0 and marking screened+
1. Created user profile with enable unique subject name constraint.
2. Requested certificate.
3. Request another cert with the same subject name.
4. Approved the first request.
4. Attempt to approve second request - Failed constraint.
5. Revoked first certificate with reason on Hold.
6. Attempt to approve second request - Failed constraint.
7. Took first certificate off hold and revoked with other reason.
8. Attempt to approve second request was successful.