[Pki-devel] profile constraint being replaced with NoConstraint
Fraser Tweedale
ftweedal at redhat.com
Thu May 29 07:12:42 UTC 2014
Nevermind, it's using a different profile from what I thought -_-.
Sorry for the noise.
Fraser
On Thu, May 29, 2014 at 05:02:14PM +1000, Fraser Tweedale wrote:
> Hi all,
>
> I've been chipping away at the profile changes required for
> https://fedorahosted.org/freeipa/ticket/2915.
>
> I've encountered a problem where the EKU extension constraint is
> being replaced by NoConstraint for validation. The profile does
> read the constraint correctly, i.e. it appears in the "Manage
> Certificate Profiles" table in the web UI, but when it comes to
> performing the validation, it is instead using
> ``com.netscape.cms.profile.constraint.NoConstraint``.
>
> I am using a modified caServerCert profile; the only changed part
> being:
>
> policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl
> policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension
> policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false
> policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
> policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
> policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
> policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
> policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
>
> (This change was made to the caServerCert profile).
>
> This is occurring on master (989e5d3). A minimal patch that adds
> the logging which demonstrates this behaviour (for me) is attached.
> Any help in understanding this behaviour is appreciated :)
>
> Cheers,
>
> Fraser
> >From d1ba5eb560b65bf109d59ad6127e99bdec85a8e6 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <frase at frase.id.au>
> Date: Thu, 29 May 2014 02:42:22 -0400
> Subject: [PATCH] NOPUSH add constraint logging
>
> ---
> base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
> index ea51084..5c103d3 100644
> --- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
> +++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
> @@ -1115,6 +1115,7 @@ public abstract class BasicProfile implements IProfile {
> for (int i = 0; i < policies.size(); i++) {
> IProfilePolicy policy = policies.elementAt(i);
>
> + CMS.debug(policy.getConstraint().getClass().getName());
> policy.getConstraint().validate(request);
> }
> CMS.debug("BasicProfile: change to pending state");
> --
> 1.9.3
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list