[Pki-devel] [PATCH] 0136 Compare serialised DNs in host authority check

Fraser Tweedale ftweedal at redhat.com
Thu Sep 22 02:20:19 UTC 2016 

Hi team,

The attached patch fixes a bug in lightweight CAs' host authority
detection, when CA cert Subject DN contains PrintableString-encoded
attributes.

https://fedorahosted.org/pki/ticket/2475

Thanks,
Fraser
-------------- next part --------------
From 6afdc9944cc147f9d4aab2d5274eaa4dd3fe9243 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 22 Sep 2016 12:00:35 +1000
Subject: [PATCH] Compare serialised DNs in host authority check

CA startup creates an LWCA entry for the host authority if it
determines that one has not already been created.  It determines if
an LWCA entry corresponds to the host CA by comparing the DN from
LDAP with the DN from the host authority's certificate.

If the DN from the host authority's certificate contains values
encoded as PrintableString, it will compare unequal to the DN from
LDAP, which parses to UTF8String AVA values.  This causes the
addition of a spurious host authority entry every time the server
starts.

Serialise DNs before comparing, to avoid these false negatives.

Fixes: https://fedorahosted.org/pki/ticket/2475
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 1f77fd81fc850af9996329dbec7d6a973ba62942..6b504f58c142f416392c190a3b9574854280fcfe 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -3251,7 +3251,12 @@ public class CertificateAuthority
         if (descAttr != null)
             desc = (String) descAttr.getStringValues().nextElement();
 
-        if (dn.equals(mName)) {
+        /* Determine if it is the host authority's entry, by
+         * comparing DNs.  DNs must be serialised in case different
+         * encodings are used for AVA values, e.g. PrintableString
+         * from LDAP vs UTF8String in certificate.
+         */
+        if (dn.toString().equals(mName.toString())) {
             CMS.debug("Found host authority");
             foundHostAuthority = true;
             this.authorityID = aid;
-- 
2.5.5

More information about the Pki-devel mailing list