[Pki-devel] [PATCH] 0016-2 - Fix BasicConstraints min/max path length check

Fraser Tweedale ftweedal at redhat.com
Mon Nov 24 06:03:25 UTC 2014 

New patch attached.

Re point 1., despite the improved ``EPropertyException`` thrown in
the new code, the error reported by the CLI is ``PKIException: Error
changing profile data``.  I filed
https://fedorahosted.org/pki/ticket/1212 to address this later.

3. is not an issue and 2. and 4. have been addressed in the new
patch.

On Thu, Nov 20, 2014 at 10:06:52AM -0600, Endi Sukma Dewata wrote:
> On 11/20/2014 12:58 AM, Fraser Tweedale wrote:
> >Ping.  Who wants to review this :)
> 
> Looks short enough, I'll bite. :)
> 
> The changes seem to be fine, so it's ACKed.
> 
> There are some related issues/questions. Feel free to address them as part
> of this ticket, or maybe file a separate ticket.
> 
> 1. The exception message is not very helpful. It probably should have said
> something like:
> 
>     Max path length cannot be smaller than min path length: <maxLen value>
> 
> 2. According to the ticket the ca-profile-add failed but the profile
> actually got added. Suppose there's a real constraint violation I think it
> should display the above exception message, and the profile should not be
> added.
> 
> 3. Can we specify any negative value to indicate no min/max, or does it have
> to be -1? It should be consistent with the documentation.
> 
> 4. The code seems to assume that the MinPathLen is already added before
> adding MaxPathLen. Suppose the MinPathLen is missing or added later will
> this constraint still be validated?
> 
> Also, maybe we should keep track the list of unreviewed patches on the top
> of etherpad so we don't miss anything.
> 
> -- 
> Endi S. Dewata
-------------- next part --------------
>From b4b92d145a8a8b6e6caefaf608114ed034891b53 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 25 Sep 2014 01:39:40 -0400
Subject: [PATCH] Fix BasicConstraints min/max path length check

The BasicConstraintsExtConstraint min/max path length validity check
ensures that the max length is greater than the min length, however,
when a negative value is used to represent "no max", the check
fails.

Only compare the min and max length if both values are set to
non-negative integers.  Also run the check when either value is
modified, since setting the min path length could invalidate the
configuration.

Ticket #1035
---
 .../constraint/BasicConstraintsExtConstraint.java  | 45 +++++++++++++---------
 1 file changed, 26 insertions(+), 19 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java
index ca2668f7db305122f330fca058b27801820a75b4..05ab0e2fdc1609b7dc734ac08ba6d5120c7c617b 100644
--- a/base/server/cms/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/BasicConstraintsExtConstraint.java
@@ -195,30 +195,37 @@ public class BasicConstraintsExtConstraint extends EnrollConstraint {
 
     public void setConfig(String name, String value)
             throws EPropertyException {
+        IConfigStore cs = mConfig.getSubStore("params");
 
-        if (mConfig.getSubStore("params") == null) {
+        if (cs == null) {
             CMS.debug("BasicConstraintsExt: mConfig.getSubStore is null");
-            //
         } else {
-
             CMS.debug("BasicConstraintsExt: setConfig name " + name + " value " + value);
-
-            if (name.equals(CONFIG_MAX_PATH_LEN)) {
-
-                String minPathLen = getConfig(CONFIG_MIN_PATH_LEN);
-
-                int minLen = getInt(minPathLen);
-
-                int maxLen = getInt(value);
-
-                if (minLen >= maxLen) {
-                    CMS.debug("BasicConstraintExt:  minPathLen >= maxPathLen!");
-
-                    throw new EPropertyException("bad value");
-                }
-
+            String origValue = getConfig(name);
+            cs.putString(name, value);
+            try {
+                validateConfig();
+            } catch (EPropertyException e) {
+                cs.putString(name, origValue);
+                throw e;
             }
-            mConfig.getSubStore("params").putString(name, value);
+        }
+    }
+
+    private void validateConfig() throws EPropertyException {
+        int minLen = -1;
+        int maxLen = -1;
+        try {
+            minLen = getConfigInt(CONFIG_MIN_PATH_LEN);
+            maxLen = getConfigInt(CONFIG_MAX_PATH_LEN);
+        } catch (NumberFormatException e) {
+            // one of the path len configs is empty - treat as unset
+        }
+        if (maxLen >= 0 && maxLen >= 0 && minLen >= maxLen) {
+            CMS.debug("BasicConstraintExt:  minPathLen >= maxPathLen!");
+            throw new EPropertyException(
+                "Max path length (" + maxLen +
+                ") must be greater than min path length (" + minLen + ").");
         }
     }
 }
-- 
1.9.3

More information about the Pki-devel mailing list