[Pki-devel] [PATCH] 0131..0132 Fix LWCA entryUSN handling

Fraser Tweedale ftweedal at redhat.com
Wed Aug 24 05:36:35 UTC 2016 

The attached patches address a couple of issues related to handling
entryUSN attribute when reading lightweight CA entries.

https://fedorahosted.org/pki/ticket/2444

Thanks,
Fraser
-------------- next part --------------
From 5732d0f27b0f26a4125f91732659982609d75aab Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <frase at frase.id.au>
Date: Tue, 23 Aug 2016 14:50:03 +1000
Subject: [PATCH 131/132] Accept LWCA entry with missing entryUSN if plugin
 enabled

Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled.  But if the plugin is enabled, it's fine to
proceed.

Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not.  Clarify the log message
accordingly.

Part of: https://fedorahosted.org/pki/ticket/2444
---
 .../src/com/netscape/ca/CertificateAuthority.java  | 46 ++++++++++++++++++----
 1 file changed, 38 insertions(+), 8 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index a5397da0c0dcea654a15f16e5becc5c430a1bb29..856317e1604d8d536af3320562da62a0dab544cb 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -677,6 +677,24 @@ public class CertificateAuthority
         }
     }
 
+    private boolean entryUSNPluginEnabled() {
+        try {
+            LDAPConnection conn = dbFactory.getConn();
+            try {
+                LDAPSearchResults results = conn.search(
+                    "cn=usn,cn=plugins,cn=config", LDAPConnection.SCOPE_BASE,
+                    "(nsslapd-pluginEnabled=on)", null, false);
+                return results != null && results.hasMoreElements();
+            } catch (LDAPException e) {
+                return false;
+            } finally {
+                dbFactory.returnConn(conn);
+            }
+        } catch (ELdapException e) {
+            return false;  // oh well
+        }
+    }
+
     private void initCRLPublisher() throws EBaseException {
         // instantiate CRL publisher
         if (!isHostAuthority()) {
@@ -3177,17 +3195,29 @@ public class CertificateAuthority
         AuthorityID aid = new AuthorityID((String)
             aidAttr.getStringValues().nextElement());
 
-        LDAPAttribute entryUSN = entry.getAttribute("entryUSN");
-        if (entryUSN == null) {
-            log(ILogger.LL_FAILURE, "Authority entry has no entryUSN.  " +
-                "This is likely because the USN plugin is not enabled in the database");
-            return;
+        Integer newEntryUSN = null;
+        LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
+        if (entryUSNAttr == null) {
+            CMS.debug("readAuthority: no entryUSN");
+            if (!entryUSNPluginEnabled()) {
+                CMS.debug("readAuthority: dirsrv USN plugin is not enabled; skipping entry");
+                log(ILogger.LL_FAILURE, "Lightweight authority entry has no"
+                        + " entryUSN attribute and USN plugin not enabled;"
+                        + " skipping.  Enable dirsrv USN plugin.");
+                return;
+            } else {
+                CMS.debug("readAuthority: dirsrv USN plugin is enabled; continuing");
+                // entryUSN plugin is enabled, but no entryUSN attribute. We
+                // can proceed because future modifications will result in the
+                // entryUSN attribute being added.
+            }
+        } else {
+            newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]);
+            CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
         }
 
-        Integer newEntryUSN = new Integer(entryUSN.getStringValueArray()[0]);
-        CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
         Integer knownEntryUSN = entryUSNs.get(aid);
-        if (knownEntryUSN != null) {
+        if (newEntryUSN != null && knownEntryUSN != null) {
             CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN);
             if (newEntryUSN <= knownEntryUSN) {
                 CMS.debug("readAuthority: data is current");
-- 
2.5.5

-------------- next part --------------
From 3e324c2f1b30fa0f110052ff083b5ac9b3ce759e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 24 Aug 2016 14:10:55 +1000
Subject: [PATCH 132/132] Perform host authority check before entryUSN check

When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check.  If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.

Move the host authority check before the entryUSN check to avoid
this scenario.

Fixes: https://fedorahosted.org/pki/ticket/2444
---
 .../src/com/netscape/ca/CertificateAuthority.java  | 41 +++++++++++-----------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 856317e1604d8d536af3320562da62a0dab544cb..020918bbb2f268aea83a242e24fe2f016a2375ec 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -3195,6 +3195,27 @@ public class CertificateAuthority
         AuthorityID aid = new AuthorityID((String)
             aidAttr.getStringValues().nextElement());
 
+        X500Name dn = null;
+        try {
+            dn = new X500Name((String) dnAttr.getStringValues().nextElement());
+        } catch (IOException e) {
+            CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
+        }
+
+        String desc = null;
+        LDAPAttribute descAttr = entry.getAttribute("description");
+        if (descAttr != null)
+            desc = (String) descAttr.getStringValues().nextElement();
+
+        if (dn.equals(mName)) {
+            CMS.debug("Found host authority");
+            foundHostAuthority = true;
+            this.authorityID = aid;
+            this.authorityDescription = desc;
+            caMap.put(aid, this);
+            return;
+        }
+
         Integer newEntryUSN = null;
         LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
         if (entryUSNAttr == null) {
@@ -3225,26 +3246,6 @@ public class CertificateAuthority
             }
         }
 
-        X500Name dn = null;
-        try {
-            dn = new X500Name((String) dnAttr.getStringValues().nextElement());
-        } catch (IOException e) {
-            CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
-        }
-
-        String desc = null;
-        LDAPAttribute descAttr = entry.getAttribute("description");
-        if (descAttr != null)
-            desc = (String) descAttr.getStringValues().nextElement();
-
-        if (dn.equals(mName)) {
-            foundHostAuthority = true;
-            this.authorityID = aid;
-            this.authorityDescription = desc;
-            caMap.put(aid, this);
-            return;
-        }
-
         @SuppressWarnings("unused")
         X500Name parentDN = null;
         if (parentDNAttr != null) {
-- 
2.5.5

More information about the Pki-devel mailing list