[Pki-devel] profile constraint being replaced with NoConstraint

Fraser Tweedale ftweedal at redhat.com
Thu May 29 07:02:14 UTC 2014 

Hi all,

I've been chipping away at the profile changes required for
https://fedorahosted.org/freeipa/ticket/2915.

I've encountered a problem where the EKU extension constraint is
being replaced by NoConstraint for validation.  The profile does
read the constraint correctly, i.e. it appears in the "Manage
Certificate Profiles" table in the web UI, but when it comes to
performing the validation, it is instead using
``com.netscape.cms.profile.constraint.NoConstraint``.

I am using a modified caServerCert profile; the only changed part
being:

    policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
    policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
    policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
    policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
    policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
    policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
    policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
    policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

(This change was made to the caServerCert profile).

This is occurring on master (989e5d3).  A minimal patch that adds
the logging which demonstrates this behaviour (for me) is attached.
Any help in understanding this behaviour is appreciated :)

Cheers,

Fraser
-------------- next part --------------
>From d1ba5eb560b65bf109d59ad6127e99bdec85a8e6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <frase at frase.id.au>
Date: Thu, 29 May 2014 02:42:22 -0400
Subject: [PATCH] NOPUSH add constraint logging

---
 base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
index ea51084..5c103d3 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
@@ -1115,6 +1115,7 @@ public abstract class BasicProfile implements IProfile {
         for (int i = 0; i < policies.size(); i++) {
             IProfilePolicy policy = policies.elementAt(i);
 
+            CMS.debug(policy.getConstraint().getClass().getName());
             policy.getConstraint().validate(request);
         }
         CMS.debug("BasicProfile: change to pending state");
-- 
1.9.3

More information about the Pki-devel mailing list