Re: [Pki-devel] [PATCH] pki-cfu-0044-ticket-822-creates-root-CA-subject-DN-when-renewing-.patch

OK: Having looking at this and the ticket, its unfortunate we could not reproduce it. The patch seems to be a decent way to defensively prevent this specific problem from happening. I looked at the method in question that populates the dummy default cert values and this one appears to be the one most dangerous if it slips through being that of the Issuer's Subject. Therefore I think this particular fix should be ACKED with the following caveats. 1. Right now that value is set to something like "CN=null". I think it would be better to make it an obvious string such as "Default Subject Name" , so if someone actually gets this in a cert, it will throw up a nicer red flag to the user. 2. It sounds like some crazy confluence of events resulted in a cert being issued without a legit value for the subject. We should have a future ticket to track down exactly where the ball was dropped and fix that. ----- Original Message ----- From: "Christina Fu" <cfu(a)redhat.com&gt; To: pki-devel(a)redhat.com Sent: Wednesday, February 11, 2015 12:03:20 PM Subject: [Pki-devel] [PATCH] pki-cfu-0044-ticket-822-creates-root-CA-subject-DN-when-renewing-.patch This is a small patch for https://fedorahosted.org/pki/ticket/822 rhcs81 caManualRenewal with original profile modified for empty params.name creates root CA subject DN I am actually not able to reproduce the reported issue on either latest Dogtag or RHCS8.1, possibly due to some other fix on SubjectNameDefault. However, the investigation showed that a cert's subjectName has always been initialized to the issuerName. To avoid future possible errors in newer profile plugins, I am changing the initialization to "CN=null". thanks, Christina _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel