Bug 480714 - Renewal: Revoked expired cert which is in the renew grace period is renewed.
Renewal: Revoked expired cert which is in the renew grace period is renewed.
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Certificate Manager (Show other bugs)
unspecified
All Linux
high Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-01-19 19:56 EST by Asha Akkiangady
Modified: 2015-01-04 18:36 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:31:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix (1.16 KB, patch)
2009-05-29 16:10 EDT, Ade Lee
no flags Details | Diff

  None (edit)
Description Asha Akkiangady 2009-01-19 19:56:14 EST
Description of problem:
A cert which is expired and revoked, still in the renew grace period can be renewed.

Version-Release number of selected component (if applicable):
CS 8.0

How reproducible:
Always

Steps to Reproduce:
1. Create a cert which is expired and revoked.
Step A: Turn your system clock to 40 days back from today 
Step B: Set caDirUserCert.cfg profile to issue a cert for 15 days, restart ca. Step C: Issue a directory authenticated user cert through "Directory-Authenticated User Dual-Use Certificate Enrollment" profile.
Step D: Revoke the cert.
Step E: Set the system clock back to today.
2. Renew the cert.

  
Actual results:
Cert gets renewed.

Expected results:
Error message: Cannot renew a revoked certificate.

Additional info:
Comment 1 Christina Fu 2009-04-06 19:06:32 EDT
Please supply profile that you tested with.

Renewal grace period works with the following parameters:

policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default
Comment 2 Asha Akkiangady 2009-04-07 12:31:12 EDT
Yes, the renewal grace period has the default values.

policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default
Comment 3 Ade Lee 2009-05-29 16:10:22 EDT
Created attachment 345953 [details]
patch to fix

cfu, please review

one line change to take into account expired-revoked certs!
Comment 4 Christina Fu 2009-05-29 16:17:52 EDT
cfu+
Comment 5 Ade Lee 2009-05-29 16:32:26 EDT
[builder@oliver base]$ svn ci -m "Bugzilla Bug #480714 and #481659 - renewal fixes for expired_revoked certs and prevent key archival for renewals" common/
Sending        common/src/com/netscape/cms/profile/common/CAEnrollProfile.java
Sending        common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
Transmitting file data ..
Committed revision 503.
[builder@oliver base]$ cd ../dogtag/
[builder@oliver dogtag]$ svn ci -m "Bugzilla Bug #480714 and #481659 - renewal fixes for expired_revoked certs and prevent key archival for renewals" common/
Sending        common/pki-common.spec
Transmitting file data .
Committed revision 504.
Comment 6 Asha Akkiangady 2009-06-01 18:15:05 EDT
Verified.
When tried to renew a revoked-expired cert which is in the renewal grace period getting the error message: Sorry, your request is not submitted. The reason is "Certificate serial number 29 to be renewed is revoked. Cannot renew a revoked certificate".

Note You need to log in before you can comment on or make changes to this bug.