Re: [Pki-devel] [PATCH] Added fix for pki-server for db-update
On 07/14/2016 10:06 AM, Fraser Tweedale wrote:
On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote:
> Hi,
>
> Please review this patch.Below is a small summary about this fix and
> what we are trying to achieve.
>
> CLI : pki-server db-upgrade
>
> what it should be doing is if it sees that issuerName doesn't exist,NULL
> it will add it itself.
>
> Operation 1 : Search for the empty cn value for issuerName
> -------------------------------------------------------------------------------
>
> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I
> tried this it didn't show data even if i have record with empty issuerName
>
Hi Geetika,
The current filter is actually:
'(&(objectclass=certificateRecord)(!(issuerName=*)))',
This should match entries missing the issuerName attribute. You
talk about an entry with "empty issuerName" but empty strings are
not allowed for the Directory String attribute type. Could you
please clarify exactly what data is in the offending entry/entries
and how it got there?
Hi Fraser,
If we disable syntax check in ldap dse.ldif , it will accept empty data
as well.So if a end user disable syntax check,issuerName can be empty in
that case.(a test case that i tried)
So in that case db-update will never happen because that condition is
not considered.This scenario can be reproduced using below ldif file.
<file>
dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA
objectClass: certificateRecord
objectClass: top
cn: 106
algorithmId: 1.2.840.113549.1.1.1
autoRenew: ENABLED
certStatus: VALID
dateOfCreate: 20160712084443Z
dateOfModify: 20160712084443Z
duration: 1131536000000
issuedBy: geetika20
*issuerName: *
metaInfo: requestId:100
notAfter: 20170712084205Z
notBefore: 20160712084205Z
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq
serialno: 100
signingAlgorithmId: 1.2.840.113549.1.1.11
subjectName: CN=CS Administrator,C=US
userCertificate;binary:: MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY
version: 2
</file>
So in such a case using
'(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to
search for such entries.I tried and it gives me empty data .I believe
using (&(objectclass=certificateRecord)
(!(issuerName=*))(!(issuerName=cn*))) can solve that purpose.
Thanks
Geetika
> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' --
> This solves the purpose as it shows all the certs without issuerName
>
This filter is wrong - it does match entries without issuerName (as
intended), but also matches entries with issuerName set but not
starting with "cn".
> Operation 2 : If we see a empty cn value , we are replacing it with
> value we get from code
>
------------------------------------------------------------------------------------------------------------------
> < code>
>
> cert = nss.Certificate(bytearray(attr_cert[0]))
> issuer_name = str(cert.issuer)
>
> </code>
>
> Current : we are updating the list it the format as mentioned
> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com
Security
> Domain']
>
> Do we want to keep this behavior or we want to overwrite it in first
> place? I believe in place of we do it MOD_REPLACE.
>
> <try:
> conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName',
> issuer_name)])
> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName',
> issuer_name)])
>
This change is OK.
Attachments:
- attachment.html (text/html — 4.6 KB)