[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided



Hello Endi ,

Here is the fix with test cases that i tested.

Thanks
Geetika

On 08/12/2016 08:50 AM, Geetika Kapoor wrote:
> Yes Endi your right .. Fix should be more generic .. I will fix it in core method and will send for review. 
>
> Thanks 
> Geetika
> ----- Original Message -----
> From: Endi Sukma Dewata <edewata redhat com>
> To: Geetika Kapoor <gkapoor redhat com>, pki-devel redhat com
> Sent: Thu, 11 Aug 2016 21:25:03 -0400 (EDT)
> Subject: Re: [Pki-devel] [PATCH] To fix 1358462 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided
>
> On 8/11/2016 4:56 AM, Geetika Kapoor wrote:
>> Hi,
>>
>> This patch fix BZ 1358462 - pki pkcs12-cert-del shows a successfully
>> deleted message when a wrong nickname is provided.
>> If we provide wrong cert nickname it gives "Certificate Nickname
>> subsystemCert cert-topology-02-CA doesn't exist" and also if cert
>> nickname doesn't exist it won't share the number of entries present.
>> If cert nickname match then only it shows how many entries exist.
>>
>> Thanks
>> Geetika
> Hi Geetika,
>
> Similar to what I mentioned to Abhijeet, I added your patch to this 
> ticket to make sure it's not forgotten:
> https://fedorahosted.org/pki/ticket/2414
>
> I looked at the patch briefly, I think instead of fixing it in 
> PKCS12CertRemoveCLI, it probably should be fixed in the 
> PKCS12.removeCertInfoByNickname(). Basically if the cert to be deleted 
> doesn't exist the method should throw an exception. The CLI then should 
> catch the exception and display the error. This way the error checking 
> will be done consistently regardless who calls the method.
>
> If you're going to revise the patch please attach it to this ticket.
>
> Thanks.
>

>From 09fc6e6feb86c104469724ec5a4c0da80904651e Mon Sep 17 00:00:00 2001
From: Geetika Kapoor <gkapoor redhat com>
Date: Fri, 12 Aug 2016 05:35:58 -0400
Subject: [PATCH] Fix for BZ 1358462

Signed-off-by: Geetika Kapoor <gkapoor redhat com>
---
 base/util/src/netscape/security/pkcs/PKCS12.java | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/base/util/src/netscape/security/pkcs/PKCS12.java b/base/util/src/netscape/security/pkcs/PKCS12.java
index 6c7880aa8039e3f568285fe55adc0adb15ebeb22..c8699a3015bbb982d0e235b9d50f5cded63a41d0 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12.java
@@ -196,10 +196,16 @@ public class PKCS12 {
 
         Collection<PKCS12CertInfo> result = getCertInfosByNickname(nickname);
 
-        for (PKCS12CertInfo certInfo : result) {
-            // remove cert and key
-            certInfosByID.remove(certInfo.getID());
-            keyInfosByID.remove(certInfo.getID());
+        if (!result.isEmpty()){
+            for (PKCS12CertInfo certInfo : result) {
+                // remove cert and key
+                 certInfosByID.remove(certInfo.getID());
+                 keyInfosByID.remove(certInfo.getID());
+            }
+              }
+        else{
+            System.out.println("Warning : Certificate Nickname" + " " + nickname + " " + "doesn't exist");
+            System.exit(-1);
         }
     }
 }
-- 
1.8.3.1

Test cases:
----------

1. Find the certs.

[root pki1 ~]# pki pkcs12-cert-find  --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt
---------------
5 entries found
---------------
  Certificate ID: 8f10550112e84d196c20368492579914900732bc
  Serial Number: 0x2
  Nickname: ocspSigningCert cert-topology-02-CA CA
  Subject DN: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 3bb6074fa6efe3d0b0e785b0366ccaacc4ca75c8
  Serial Number: 0x1
  Nickname: caSigningCert cert-topology-02-CA CA
  Subject DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: CTu,Cu,Cu
  Has Key: true

  Certificate ID: 1f32ec27dbb05aa0a305011d0114513b7fd17c6b
  Serial Number: 0x4
  Nickname: subsystemCert cert-topology-02-CA
  Subject DN: CN=Subsystem Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 9bf832618b627f34ba17ed2664f5b50e4e0c9e7a
  Serial Number: 0x3
  Nickname: Server-Cert cert-topology-02-CA
  Subject DN: CN=pki1.example.com,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 2d0929b8e6e827b1f7fdf37f915b5a5b0662d42b
  Serial Number: 0x5
  Nickname: auditSigningCert cert-topology-02-CA CA
  Subject DN: CN=CA Audit Signing Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,Pu
  Has Key: true


2. Try to remove a cert which doesn't exist.
[root pki1 ~]# pki pkcs12-cert-del "test"  --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt
Warning : Certificate Nickname test doesn't exist

3. Make sure all 5 entries exist.

[root pki1 ~]# pki pkcs12-cert-find  --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt
---------------
5 entries found
---------------
  Certificate ID: 8f10550112e84d196c20368492579914900732bc
  Serial Number: 0x2
  Nickname: ocspSigningCert cert-topology-02-CA CA
  Subject DN: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 3bb6074fa6efe3d0b0e785b0366ccaacc4ca75c8
  Serial Number: 0x1
  Nickname: caSigningCert cert-topology-02-CA CA
  Subject DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: CTu,Cu,Cu
  Has Key: true

  Certificate ID: 1f32ec27dbb05aa0a305011d0114513b7fd17c6b
  Serial Number: 0x4
  Nickname: subsystemCert cert-topology-02-CA
  Subject DN: CN=Subsystem Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 9bf832618b627f34ba17ed2664f5b50e4e0c9e7a
  Serial Number: 0x3
  Nickname: Server-Cert cert-topology-02-CA
  Subject DN: CN=pki1.example.com,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 2d0929b8e6e827b1f7fdf37f915b5a5b0662d42b
  Serial Number: 0x5
  Nickname: auditSigningCert cert-topology-02-CA CA
  Subject DN: CN=CA Audit Signing Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,Pu


4. Remove a valid cert and make sure now 4 entries left.
root pki1 ~]# pki pkcs12-cert-del "auditSigningCert cert-topology-02-CA CA"  --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt
-------------------------------------------------------------
Deleted certificate "auditSigningCert cert-topology-02-CA CA"
-------------------------------------------------------------

5. Now check number of certs again.Make sure only one deleted.

[root pki1 ~]# pki pkcs12-cert-find  --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt
---------------
4 entries found
---------------
  Certificate ID: 8f10550112e84d196c20368492579914900732bc
  Serial Number: 0x2
  Nickname: ocspSigningCert cert-topology-02-CA CA
  Subject DN: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 3bb6074fa6efe3d0b0e785b0366ccaacc4ca75c8
  Serial Number: 0x1
  Nickname: caSigningCert cert-topology-02-CA CA
  Subject DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: CTu,Cu,Cu
  Has Key: true

  Certificate ID: 1f32ec27dbb05aa0a305011d0114513b7fd17c6b
  Serial Number: 0x4
  Nickname: subsystemCert cert-topology-02-CA
  Subject DN: CN=Subsystem Certificate,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 9bf832618b627f34ba17ed2664f5b50e4e0c9e7a
  Serial Number: 0x3
  Nickname: Server-Cert cert-topology-02-CA
  Subject DN: CN=pki1.example.com,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

6. try to remove an empty cert.
[root pki1 ~]# pki pkcs12-cert-del  --pkcs12-file /tmp/test_BZ/ca.p12 --pkcs12-password-file /tmp/test_BZ/password.txt
Error: Missing certificate nickname.
usage: pkcs12-cert-del <nickname> [OPTIONS...]
    --debug                         Run in debug mode.
    --help                          Show help options
    --pkcs12-file <path>            PKCS #12 file
    --pkcs12-password <password>    PKCS #12 password
    --pkcs12-password-file <path>   PKCS #12 password file
 -v,--verbose                       Run in verbose mode.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]