From 3e324c2f1b30fa0f110052ff083b5ac9b3ce759e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 24 Aug 2016 14:10:55 +1000
Subject: [PATCH 132/132] Perform host authority check before entryUSN check

When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check.  If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.

Move the host authority check before the entryUSN check to avoid
this scenario.

Fixes: https://fedorahosted.org/pki/ticket/2444
---
 .../src/com/netscape/ca/CertificateAuthority.java  | 41 +++++++++++-----------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 856317e1604d8d536af3320562da62a0dab544cb..020918bbb2f268aea83a242e24fe2f016a2375ec 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -3195,6 +3195,27 @@ public class CertificateAuthority
         AuthorityID aid = new AuthorityID((String)
             aidAttr.getStringValues().nextElement());
 
+        X500Name dn = null;
+        try {
+            dn = new X500Name((String) dnAttr.getStringValues().nextElement());
+        } catch (IOException e) {
+            CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
+        }
+
+        String desc = null;
+        LDAPAttribute descAttr = entry.getAttribute("description");
+        if (descAttr != null)
+            desc = (String) descAttr.getStringValues().nextElement();
+
+        if (dn.equals(mName)) {
+            CMS.debug("Found host authority");
+            foundHostAuthority = true;
+            this.authorityID = aid;
+            this.authorityDescription = desc;
+            caMap.put(aid, this);
+            return;
+        }
+
         Integer newEntryUSN = null;
         LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
         if (entryUSNAttr == null) {
@@ -3225,26 +3246,6 @@ public class CertificateAuthority
             }
         }
 
-        X500Name dn = null;
-        try {
-            dn = new X500Name((String) dnAttr.getStringValues().nextElement());
-        } catch (IOException e) {
-            CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
-        }
-
-        String desc = null;
-        LDAPAttribute descAttr = entry.getAttribute("description");
-        if (descAttr != null)
-            desc = (String) descAttr.getStringValues().nextElement();
-
-        if (dn.equals(mName)) {
-            foundHostAuthority = true;
-            this.authorityID = aid;
-            this.authorityDescription = desc;
-            caMap.put(aid, this);
-            return;
-        }
-
         @SuppressWarnings("unused")
         X500Name parentDN = null;
         if (parentDNAttr != null) {
-- 
2.5.5