[Pki-devel] [PATCH] Added fix for pki-server for db-update
Fraser Tweedale
ftweedal at redhat.com
Thu Jul 14 11:51:34 UTC 2016
On Thu, Jul 14, 2016 at 03:51:18PM +0530, Geetika Kapoor wrote:
>
>
> On 07/14/2016 03:02 PM, Geetika Kapoor wrote:
> >
> > On 07/14/2016 01:53 PM, Fraser Tweedale wrote:
> >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote:
> >>> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote:
> >>>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote:
> >>>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote:
> >>>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> Please review this patch.Below is a small summary about this fix and
> >>>>>>> what we are trying to achieve.
> >>>>>>>
> >>>>>>> CLI : pki-server db-upgrade
> >>>>>>>
> >>>>>>> what it should be doing is if it sees that issuerName doesn't exist,NULL
> >>>>>>> it will add it itself.
> >>>>>>>
> >>>>>>> Operation 1 : Search for the empty cn value for issuerName
> >>>>>>> -------------------------------------------------------------------------------
> >>>>>>>
> >>>>>>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I
> >>>>>>> tried this it didn't show data even if i have record with empty issuerName
> >>>>>>>
> >>>>>> Hi Geetika,
> >>>>>>
> >>>>>> The current filter is actually:
> >>>>>>
> >>>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',
> >>>>>>
> >>>>>> This should match entries missing the issuerName attribute. You
> >>>>>> talk about an entry with "empty issuerName" but empty strings are
> >>>>>> not allowed for the Directory String attribute type. Could you
> >>>>>> please clarify exactly what data is in the offending entry/entries
> >>>>>> and how it got there?
> >>>>> Hi Fraser,
> >>>>>
> >>>>> If we disable syntax check in ldap dse.ldif , it will accept empty
> >>>>> data as well.So if a end user disable syntax check,issuerName can be
> >>>>> empty in that case.(a test case that i tried)
> >>>>> So in that case db-update will never happen because that condition is
> >>>>> not considered.This scenario can be reproduced using below ldif file.
> >>>>>
> >>>>> <file>
> >>>>>
> >>>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA
> >>>>> objectClass: certificateRecord
> >>>>> objectClass: top
> >>>>> cn: 106
> >>>>> algorithmId: 1.2.840.113549.1.1.1
> >>>>> autoRenew: ENABLED
> >>>>> certStatus: VALID
> >>>>> dateOfCreate: 20160712084443Z
> >>>>> dateOfModify: 20160712084443Z
> >>>>> duration: 1131536000000
> >>>>> issuedBy: geetika20
> >>>>> *issuerName: *
> >>>>> metaInfo: requestId:100
> >>>>> notAfter: 20170712084205Z
> >>>>> notBefore: 20160712084205Z
> >>>>> publicKeyData::
> >>>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq
> >>>>> serialno: 100
> >>>>> signingAlgorithmId: 1.2.840.113549.1.1.11
> >>>>> subjectName: CN=CS Administrator,C=US
> >>>>> userCertificate;binary::
> >>>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY
> >>>>> version: 2
> >>>>>
> >>>>> </file>
> >>>>>
> >>>>> So in such a case using
> >>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to
> >>>>> search for such entries.I tried and it gives me empty data .I believe
> >>>>> using (&(objectclass=certificateRecord)
> >>>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose.
> >>>>>
> >>>>> Thanks
> >>>>> Geetika
> >>>> Hi Frazer,
> >>>>
> >>>> I just did one quick round of testing .If we have
> >>>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in
> >>>> both cases :
> >>>>
> >>>> 1. When issuerName doesn't exist.
> >>>> 2. When issuserName field exist but has empty value.
> >>>>
> >>>> Thanks
> >>>> Geetika
> >>>>
> >>> I still disagree that it is the right approach, because it may do
> >>> unnecessary work for records that already have an issuerName that
> >>> does not start with "cn".
> >>>
> >>> Is it even necessary to support cases where customer has disabled
> >>> syntax checking? Nevertheless, let me disable syntax checking on
> >>> one of my instances and see if I can find a better filter.
> >>>
> >> Please try this filter:
> >>
> >> (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=)))
> >>
> >> It will find only certificates with missing or empty issuername
> >> attribute. Does it work as expected for you, Geetika?
> > Let me try Frazer..
> >
> > Thanks
>
> Thanks Frazer for helping in giving a better solution .
>
You're welcome. ACK, and pushed to master:
c3ff087bd07cde4cd272defad499fd4d8367e5c1
More information about the Pki-devel
mailing list