[Pki-devel] profile constraint being replaced with NoConstraint

Fraser Tweedale ftweedal at redhat.com
Thu May 29 07:12:42 UTC 2014 

Nevermind, it's using a different profile from what I thought -_-.
Sorry for the noise.

Fraser

On Thu, May 29, 2014 at 05:02:14PM +1000, Fraser Tweedale wrote:
> Hi all,
> 
> I've been chipping away at the profile changes required for
> https://fedorahosted.org/freeipa/ticket/2915.
> 
> I've encountered a problem where the EKU extension constraint is
> being replaced by NoConstraint for validation.  The profile does
> read the constraint correctly, i.e. it appears in the "Manage
> Certificate Profiles" table in the web UI, but when it comes to
> performing the validation, it is instead using
> ``com.netscape.cms.profile.constraint.NoConstraint``.
> 
> I am using a modified caServerCert profile; the only changed part
> being:
> 
>     policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
>     policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
>     policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
>     policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
>     policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
>     policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
>     policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
>     policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
> 
> (This change was made to the caServerCert profile).
> 
> This is occurring on master (989e5d3).  A minimal patch that adds
> the logging which demonstrates this behaviour (for me) is attached.
> Any help in understanding this behaviour is appreciated :)
> 
> Cheers,
> 
> Fraser

> >From d1ba5eb560b65bf109d59ad6127e99bdec85a8e6 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <frase at frase.id.au>
> Date: Thu, 29 May 2014 02:42:22 -0400
> Subject: [PATCH] NOPUSH add constraint logging
> 
> ---
>  base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
> index ea51084..5c103d3 100644
> --- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
> +++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
> @@ -1115,6 +1115,7 @@ public abstract class BasicProfile implements IProfile {
>          for (int i = 0; i < policies.size(); i++) {
>              IProfilePolicy policy = policies.elementAt(i);
>  
> +            CMS.debug(policy.getConstraint().getClass().getName());
>              policy.getConstraint().validate(request);
>          }
>          CMS.debug("BasicProfile: change to pending state");
> -- 
> 1.9.3
> 

> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list