OK:
Having looking at this and the ticket, its unfortunate we could not reproduce it.
The patch seems to be a decent way to defensively prevent this specific problem
from happening. I looked at the method in question that populates the dummy default
cert values and this one appears to be the one most dangerous if it slips through
being that of the Issuer's Subject.
Therefore I think this particular fix should be ACKED with the following caveats.
1. Right now that value is set to something like "CN=null". I think it would be
better to make it an obvious string such as "Default Subject Name" , so if
someone actually
gets this in a cert, it will throw up a nicer red flag to the user.
2. It sounds like some crazy confluence of events resulted in a cert being issued without
a legit value for the subject. We should have a future ticket to track down exactly where
the ball was dropped and fix that.
----- Original Message -----
From: "Christina Fu" <cfu(a)redhat.com>
To: pki-devel(a)redhat.com
Sent: Wednesday, February 11, 2015 12:03:20 PM
Subject: [Pki-devel]
[PATCH] pki-cfu-0044-ticket-822-creates-root-CA-subject-DN-when-renewing-.patch
This is a small patch for
https://fedorahosted.org/pki/ticket/822 rhcs81 caManualRenewal with
original profile modified for empty params.name creates root CA subject DN
I am actually not able to reproduce the reported issue on either latest
Dogtag or RHCS8.1, possibly due to some other fix on
SubjectNameDefault. However, the investigation showed that a cert's
subjectName has always been initialized to the issuerName. To avoid
future possible errors in newer profile plugins, I am changing the
initialization to "CN=null".
thanks,
Christina
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel