On 07/14/2016 03:02 PM, Geetika Kapoor wrote:
On 07/14/2016 01:53 PM, Fraser Tweedale wrote:
> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote:
>> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote:
>>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote:
>>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote:
>>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Please review this patch.Below is a small summary about this fix
and
>>>>>> what we are trying to achieve.
>>>>>>
>>>>>> CLI : pki-server db-upgrade
>>>>>>
>>>>>> what it should be doing is if it sees that issuerName doesn't
exist,NULL
>>>>>> it will add it itself.
>>>>>>
>>>>>> Operation 1 : Search for the empty cn value for issuerName
>>>>>>
-------------------------------------------------------------------------------
>>>>>>
>>>>>> Current :
'(&(objectclass=certificateRecord)(issuerName=*)) -- I
>>>>>> tried this it didn't show data even if i have record with
empty issuerName
>>>>>>
>>>>> Hi Geetika,
>>>>>
>>>>> The current filter is actually:
>>>>>
>>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',
>>>>>
>>>>> This should match entries missing the issuerName attribute. You
>>>>> talk about an entry with "empty issuerName" but empty
strings are
>>>>> not allowed for the Directory String attribute type. Could you
>>>>> please clarify exactly what data is in the offending entry/entries
>>>>> and how it got there?
>>>> Hi Fraser,
>>>>
>>>> If we disable syntax check in ldap dse.ldif , it will accept empty
>>>> data as well.So if a end user disable syntax check,issuerName can be
>>>> empty in that case.(a test case that i tried)
>>>> So in that case db-update will never happen because that condition is
>>>> not considered.This scenario can be reproduced using below ldif file.
>>>>
>>>> <file>
>>>>
>>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA
>>>> objectClass: certificateRecord
>>>> objectClass: top
>>>> cn: 106
>>>> algorithmId: 1.2.840.113549.1.1.1
>>>> autoRenew: ENABLED
>>>> certStatus: VALID
>>>> dateOfCreate: 20160712084443Z
>>>> dateOfModify: 20160712084443Z
>>>> duration: 1131536000000
>>>> issuedBy: geetika20
>>>> *issuerName: *
>>>> metaInfo: requestId:100
>>>> notAfter: 20170712084205Z
>>>> notBefore: 20160712084205Z
>>>> publicKeyData::
>>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq
>>>> serialno: 100
>>>> signingAlgorithmId: 1.2.840.113549.1.1.11
>>>> subjectName: CN=CS Administrator,C=US
>>>> userCertificate;binary::
>>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY
>>>> version: 2
>>>>
>>>> </file>
>>>>
>>>> So in such a case using
>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will
not able to
>>>> search for such entries.I tried and it gives me empty data .I believe
>>>> using (&(objectclass=certificateRecord)
>>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose.
>>>>
>>>> Thanks
>>>> Geetika
>>> Hi Frazer,
>>>
>>> I just did one quick round of testing .If we have
>>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will
work in
>>> both cases :
>>>
>>> 1. When issuerName doesn't exist.
>>> 2. When issuserName field exist but has empty value.
>>>
>>> Thanks
>>> Geetika
>>>
>> I still disagree that it is the right approach, because it may do
>> unnecessary work for records that already have an issuerName that
>> does not start with "cn".
>>
>> Is it even necessary to support cases where customer has disabled
>> syntax checking? Nevertheless, let me disable syntax checking on
>> one of my instances and see if I can find a better filter.
>>
> Please try this filter:
>
> (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=)))
>
> It will find only certificates with missing or empty issuername
> attribute. Does it work as expected for you, Geetika?
Let me try Frazer..
Thanks
Yes that works for both test cases.
>>>>>> Modified :
(&(objectclass=certificateRecord)(!(issuerName=cn*)))' --
>>>>>> This solves the purpose as it shows all the certs without
issuerName
>>>>>>
>>>>> This filter is wrong - it does match entries without issuerName (as
>>>>> intended), but also matches entries with issuerName set but not
>>>>> starting with "cn".
>>>>>
>>>>>> Operation 2 : If we see a empty cn value , we are replacing it
with
>>>>>> value we get from code
>>>>>>
------------------------------------------------------------------------------------------------------------------
>>>>>> < code>
>>>>>>
>>>>>> cert = nss.Certificate(bytearray(attr_cert[0]))
>>>>>> issuer_name = str(cert.issuer)
>>>>>>
>>>>>> </code>
>>>>>>
>>>>>> Current : we are updating the list it the format as mentioned
>>>>>> 'issuerName': ['', 'CN=CA Signing
Certificate,O=example.com Security
>>>>>> Domain']
>>>>>>
>>>>>> Do we want to keep this behavior or we want to overwrite it in
first
>>>>>> place? I believe in place of we do it MOD_REPLACE.
>>>>>>
>>>>>> <try:
>>>>>> conn.ldap.modify_s(dn, [(ldap.MOD_ADD,
'issuerName',
>>>>>> issuer_name)])
>>>>>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE,
'issuerName',
>>>>>> issuer_name)])
>>>>>>
>>>>> This change is OK.
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel