This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 458499 - subject name uniqueness plugin for profiles rejects requests even if existing certs are revoked or expired
subject name uniqueness plugin for profiles rejects requests even if existing...
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Profile (Show other bugs)
1.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2008-08-08 17:36 EDT by Ade Lee
Modified: 2015-01-04 18:33 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:29:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix (9.42 KB, application/octet-stream)
2008-08-08 17:42 EDT, Ade Lee
no flags Details
patch version 2 (7.60 KB, patch)
2008-08-13 12:53 EDT, Ade Lee
no flags Details | Diff
patch v3 (6.35 KB, application/octet-stream)
2008-08-13 15:19 EDT, Ade Lee
no flags Details

  None (edit)
Description Ade Lee 2008-08-08 17:36:25 EDT
Description of problem:
The subject name uniqueness plugin should not allow duplicate names if the existing certificate has been revoked or has expired.  This behavior is the 
default behavior in Policies. 

The default behavior in policies needs to be implemented.  The one exception is that duplicate names should not be allowed when the certificate is on hold - because it may be subsequently restored.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Enable unique subject name plugin using profiles.
2. Enroll a cert.
3. Request another cert with the same subject name.  This will fail.
4. Revoke the first cert - for any reason other than on-hold
5. Request a cert with the same subject name.  This will (and should not) fail.
  
Actual results:


Expected results:


Additional info:
Comment 1 Ade Lee 2008-08-08 17:42:46 EDT
Created attachment 313852 [details]
patch to fix

cfu please review.
Comment 2 Ade Lee 2008-08-13 12:53:33 EDT
Created attachment 314224 [details]
patch version 2

New patch - based on comments in review
cfu - please ack.
Comment 3 Ade Lee 2008-08-13 15:19:36 EDT
Created attachment 314239 [details]
patch v3

added debug statements and description pre cfu request.
cfu please ack.
Comment 4 Ade Lee 2008-08-13 15:20:28 EDT
Copying Deon:

Deon - doc changes will be needed for this for 8.0.

The subject uniqueness constraint has been enhanced, and has a new parameter as
detailed below:

 Rules are as follows: 
If the subject name is not unique, then the request will be rejected unless:
* 1. the certificate is expired or expired_revoked
* 2. the certificate is revoked and the revocation reason is not "on hold"
* 3. the keyUsageExtension bits are different and
enableKeyUsageExtensionChecking is set to true (default)
Comment 5 Christina Fu 2008-08-13 17:49:04 EDT
(In reply to comment #3)
> Created an attachment (id=314239) [details]
> patch v3
> 
> added debug statements and description pre cfu request.
> cfu please ack.

cfu+
Comment 6 Ade Lee 2008-08-14 10:52:50 EDT
Sending        base/common/src/UserMessages_en.properties
Sending        base/common/src/com/netscape/cms/profile/constraint/UniqueSubjectNameConstraint.java
Sending        linux/common/pki-common.spec
Transmitting file data ...
Committed revision 109.
Comment 7 Chandrasekar Kannan 2008-08-26 20:30:03 EDT
Bug already MODIFIED. setting target CS8.0 and marking screened+
Comment 10 Jenny Galipeau 2009-06-29 13:21:39 EDT
Verified:

1. Created user profile with enable unique subject name constraint.
2. Requested certificate.
3. Request another cert with the same subject name.
4. Approved the first request.
4. Attempt to approve second request - Failed constraint.
5. Revoked first certificate with reason on Hold.
6. Attempt to approve second request - Failed constraint.
7. Took first certificate off hold and revoked with other reason.
8. Attempt to approve second request was successful.

Note You need to log in before you can comment on or make changes to this bug.