Bug 480255 - User Certificate gets renewed when cert is not in grace period.
User Certificate gets renewed when cert is not in grace period.
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Certificate Manager (Show other bugs)
unspecified
All Linux
high Severity medium
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
: 481373 (view as bug list)
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-01-15 19:14 EST by Asha Akkiangady
Modified: 2015-01-04 18:35 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:31:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
calculate the time diff in terms of miliseconds instead of days (2.71 KB, patch)
2009-06-10 12:31 EDT, Christina Fu
no flags Details | Diff
spec file diff (1.00 KB, patch)
2009-06-10 12:42 EDT, Christina Fu
no flags Details | Diff
had to resolve to BigInteger (2.49 KB, patch)
2009-06-10 17:50 EDT, Christina Fu
no flags Details | Diff

  None (edit)
Description Asha Akkiangady 2009-01-15 19:14:34 EST
Description of problem:
User certificate gets renewed when cert has Not After date 31 days from today. (caUserCert.cfg for renewal has graceBefore=30 and graceAfter=30).

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Set CA profile  caDirUserCert.cfg to have validity period 31 days.
(policyset.userCertSet.2.default.params.range=31), restart CA.

2. From the CA enrollment page, enroll for profile "Directory-Authenticated User Dual-Use Certificate Enrollment" with  a valid uid and password, a certificate is generated valid for 31 days.
 
3. Set CA profile caDirUserCert.cfg to have default validity period 180 days.
(policyset.userCertSet.2.default.params.range=180), restart CA.
  
4. From the CA enrollment page, enroll for profile "Directory-Authenticated User Certificate Self-Renew profile", provide user id, password and serial number of the cert.

Actual results:
Certificate gets renewed.

Expected results:
Error message "Request Rejected - Outside of Renewal Grace Period: 30
        days before and 30 days after original cert expiration date".

Additional info:
Same problem is found when renewal is done in other 2 ways (SSLClient and Manual agent approved).
Comment 1 Christina Fu 2009-04-02 14:49:08 EDT
*** Bug 481373 has been marked as a duplicate of this bug. ***
Comment 2 Christina Fu 2009-04-06 19:04:42 EDT
Please supply your test profile.  To test grace period, you must have the following parameters in your profile, and have enabled in the policyset list:

policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default

Since I do not see these in your bug report description, I am requesting you to attach your profile so I can take a look.  Thanks.
Comment 3 Asha Akkiangady 2009-04-07 12:35:59 EDT
Yes, the renewal grace period has the default values as mentioned in the Description of problem above.

policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default
Comment 4 Christina Fu 2009-06-10 12:31:00 EDT
Created attachment 347253 [details]
calculate the time diff in terms of miliseconds instead of days
Comment 5 Christina Fu 2009-06-10 12:42:57 EDT
Created attachment 347254 [details]
spec file diff
Comment 6 Matthew Harmsen 2009-06-10 12:44:43 EDT
attachment (id=347253)
attachment (id=347254)
+mharmsen
Comment 7 Christina Fu 2009-06-10 13:01:08 EDT
[cfu@jaw common]$ pwd
/home/cfu/dogtag/src0/pki/base/common
[cfu@jaw common]$ svn commit src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
Sending        src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
Transmitting file data .
Committed revision 575.


[cfu@jaw common]$ pwd
/home/cfu/dogtag/src0/pki/dogtag/common
[cfu@jaw common]$ svn commit pki-common.spec
Sending        pki-common.spec
Transmitting file data .
Committed revision 576.
Comment 8 Christina Fu 2009-06-10 16:57:12 EDT
the fix actually is no good.
Comment 9 Christina Fu 2009-06-10 17:50:44 EDT
Created attachment 347298 [details]
had to resolve to BigInteger
Comment 10 Jack Magne 2009-06-10 18:00:07 EDT
Attachment (id=347298) +jmange
Comment 11 Christina Fu 2009-06-10 18:00:55 EDT
[cfu@jaw constraint]$ svn commit RenewGracePeriodConstraint.java
Sending        RenewGracePeriodConstraint.java
Transmitting file data .
Committed revision 581.
Comment 12 Jenny Galipeau 2009-06-11 13:07:10 EDT
Verified:

Sorry, your request has been rejected. The reason is "Request Rejected - Outside of Renewal Grace Period: 30 days before and 30 days after original cert expiration date"

Note You need to log in before you can comment on or make changes to this bug.