[Pki-devel] [PATCH] pki-cfu-0044-ticket-822-creates-root-CA-subject-DN-when-renewing-.patch
Christina Fu
cfu at redhat.com
Thu Feb 12 20:18:22 UTC 2015
pushed to master:
commit 98b2407eef642cd95296c972393b0c0db46230be
thanks,
Christina
On 02/12/2015 12:01 PM, John Magne wrote:
> OK:
>
> Having looking at this and the ticket, its unfortunate we could not reproduce it.
>
> The patch seems to be a decent way to defensively prevent this specific problem
> from happening. I looked at the method in question that populates the dummy default
> cert values and this one appears to be the one most dangerous if it slips through
> being that of the Issuer's Subject.
>
> Therefore I think this particular fix should be ACKED with the following caveats.
>
> 1. Right now that value is set to something like "CN=null". I think it would be
> better to make it an obvious string such as "Default Subject Name" , so if someone actually
> gets this in a cert, it will throw up a nicer red flag to the user.
>
> 2. It sounds like some crazy confluence of events resulted in a cert being issued without
> a legit value for the subject. We should have a future ticket to track down exactly where
> the ball was dropped and fix that.
>
> ----- Original Message -----
> From: "Christina Fu" <cfu at redhat.com>
> To: pki-devel at redhat.com
> Sent: Wednesday, February 11, 2015 12:03:20 PM
> Subject: [Pki-devel] [PATCH] pki-cfu-0044-ticket-822-creates-root-CA-subject-DN-when-renewing-.patch
>
> This is a small patch for
> https://fedorahosted.org/pki/ticket/822 rhcs81 caManualRenewal with
> original profile modified for empty params.name creates root CA subject DN
>
> I am actually not able to reproduce the reported issue on either latest
> Dogtag or RHCS8.1, possibly due to some other fix on
> SubjectNameDefault. However, the investigation showed that a cert's
> subjectName has always been initialized to the issuerName. To avoid
> future possible errors in newer profile plugins, I am changing the
> initialization to "CN=null".
>
> thanks,
> Christina
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list