[Pki-devel] [PATCH] Added fix for pki-server for db-update

Fraser Tweedale ftweedal at redhat.com
Thu Jul 14 08:01:51 UTC 2016 

On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote:
> 
> 
> On 07/14/2016 11:38 AM, Geetika Kapoor wrote:
> >
> >
> > On 07/14/2016 10:06 AM, Fraser Tweedale wrote:
> >> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote:
> >>> Hi,
> >>>
> >>> Please review this patch.Below is a small summary about this fix and
> >>> what we are trying to achieve.
> >>>
> >>> CLI :  pki-server db-upgrade
> >>>
> >>> what it should be doing is if it sees that issuerName doesn't exist,NULL
> >>> it will add it itself.
> >>>
> >>> Operation 1 : Search for the empty cn value for issuerName
> >>> -------------------------------------------------------------------------------
> >>>
> >>> Current :   '(&(objectclass=certificateRecord)(issuerName=*))  -- I
> >>> tried this it didn't show data even if i have record with empty issuerName
> >>>
> >> Hi Geetika,
> >>
> >> The current filter is actually:
> >>
> >>   '(&(objectclass=certificateRecord)(!(issuerName=*)))',
> >>
> >> This should match entries missing the issuerName attribute.  You
> >> talk about an entry with "empty issuerName" but empty strings are
> >> not allowed for the Directory String attribute type.  Could you
> >> please clarify exactly what data is in the offending entry/entries
> >> and how it got there?
> > Hi Fraser,
> >
> > If we disable syntax check in ldap dse.ldif , it will accept empty
> > data as well.So if a end user disable syntax check,issuerName can be
> > empty in that case.(a test case that i tried)
> > So in that case db-update will never happen because that condition is
> > not considered.This scenario can be reproduced using below ldif file.
> >
> > <file>
> >
> > dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA
> > objectClass: certificateRecord
> > objectClass: top
> > cn: 106
> > algorithmId: 1.2.840.113549.1.1.1
> > autoRenew: ENABLED
> > certStatus: VALID
> > dateOfCreate: 20160712084443Z
> > dateOfModify: 20160712084443Z
> > duration: 1131536000000
> > issuedBy:   geetika20
> > *issuerName:     *  
> > metaInfo: requestId:100
> > notAfter: 20170712084205Z
> > notBefore: 20160712084205Z
> > publicKeyData::
> > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq
> > serialno: 100
> > signingAlgorithmId: 1.2.840.113549.1.1.11
> > subjectName: CN=CS Administrator,C=US
> > userCertificate;binary::
> > MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY
> > version: 2
> >
> > </file>
> >
> > So in such a case using
> > '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to
> > search for such entries.I tried and it gives me empty data .I believe
> > using (&(objectclass=certificateRecord)
> > (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose.
> >
> > Thanks
> > Geetika
> Hi Frazer,
> 
> I just did one quick round of testing .If we have
> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in
> both cases :
> 
> 1. When issuerName doesn't exist.
> 2. When issuserName field exist but has empty value.
> 
> Thanks
> Geetika
>
I still disagree that it is the right approach, because it may do
unnecessary work for records that already have an issuerName that
does not start with "cn".

Is it even necessary to support cases where customer has disabled
syntax checking?  Nevertheless, let me disable syntax checking on
one of my instances and see if I can find a better filter.

Thanks,
Fraser

> >>> Modified :  (&(objectclass=certificateRecord)(!(issuerName=cn*)))'   --
> >>> This solves the purpose as it shows all the certs without issuerName
> >>>
> >> This filter is wrong - it does match entries without issuerName (as
> >> intended), but also matches entries with issuerName set but not
> >> starting with "cn".
> >>
> >>> Operation 2 : If we see a empty cn value , we are replacing it with
> >>> value we get from code
> >>> ------------------------------------------------------------------------------------------------------------------
> >>> < code>
> >>>
> >>> cert = nss.Certificate(bytearray(attr_cert[0]))
> >>>         issuer_name = str(cert.issuer)
> >>>
> >>> </code>
> >>>
> >>> Current : we are updating the list it the format as mentioned 
> >>> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security
> >>> Domain']
> >>>
> >>> Do we want to keep this behavior or we want to overwrite it in first
> >>> place? I believe in place of we do it MOD_REPLACE.
> >>>
> >>> <try:
> >>>             conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName',
> >>> issuer_name)])
> >>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName',
> >>> issuer_name)])
> >>>
> >> This change is OK.
> >
>

More information about the Pki-devel mailing list