Re: [Pki-devel] profile constraint being replaced with NoConstraint

Hi all, I've been chipping away at the profile changes required for https://fedorahosted.org/freeipa/ticket/2915. I've encountered a problem where the EKU extension constraint is being replaced by NoConstraint for validation. The profile does read the constraint correctly, i.e. it appears in the "Manage Certificate Profiles" table in the web UI, but when it comes to performing the validation, it is instead using ``com.netscape.cms.profile.constraint.NoConstraint``. I am using a modified caServerCert profile; the only changed part being: policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (This change was made to the caServerCert profile). This is occurring on master (989e5d3). A minimal patch that adds the logging which demonstrates this behaviour (for me) is attached. Any help in understanding this behaviour is appreciated :) Cheers, Fraser

>From d1ba5eb560b65bf109d59ad6127e99bdec85a8e6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <frase(a)frase.id.au&gt; Date: Thu, 29 May 2014 02:42:22 -0400 Subject: [PATCH] NOPUSH add constraint logging --- base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java | 1 + 1 file changed, 1 insertion(+) diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java index ea51084..5c103d3 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java @@ -1115,6 +1115,7 @@ public abstract class BasicProfile implements IProfile { for (int i = 0; i < policies.size(); i++) { IProfilePolicy policy = policies.elementAt(i); + CMS.debug(policy.getConstraint().getClass().getName()); policy.getConstraint().validate(request); } CMS.debug("BasicProfile: change to pending state"); -- 1.9.3

_______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel