diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-09-22 12:00:35 +1000 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-09-23 13:34:40 +1000 |
commit | 9043a08bef3723ca218ad7e5dd82be61166b5a1d (patch) | |
tree | 1c57f438a0bb49279a17fa06a582a263b8b1f46c /base/ca/src | |
parent | 3ea93c9b4bc03f3d79550d8bdfd1447ffa25238d (diff) | |
download | pki-9043a08bef3723ca218ad7e5dd82be61166b5a1d.tar.gz pki-9043a08bef3723ca218ad7e5dd82be61166b5a1d.tar.xz pki-9043a08bef3723ca218ad7e5dd82be61166b5a1d.zip |
Compare serialised DNs in host authority check
CA startup creates an LWCA entry for the host authority if it
determines that one has not already been created. It determines if
an LWCA entry corresponds to the host CA by comparing the DN from
LDAP with the DN from the host authority's certificate.
If the DN from the host authority's certificate contains values
encoded as PrintableString, it will compare unequal to the DN from
LDAP, which parses to UTF8String AVA values. This causes the
addition of a spurious host authority entry every time the server
starts.
Serialise DNs before comparing, to avoid these false negatives.
Fixes: https://fedorahosted.org/pki/ticket/2475
Diffstat (limited to 'base/ca/src')
-rw-r--r-- | base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index a4f102435..ae90d3ac1 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -3256,7 +3256,12 @@ public class CertificateAuthority if (descAttr != null) desc = (String) descAttr.getStringValues().nextElement(); - if (dn.equals(mName)) { + /* Determine if it is the host authority's entry, by + * comparing DNs. DNs must be serialised in case different + * encodings are used for AVA values, e.g. PrintableString + * from LDAP vs UTF8String in certificate. + */ + if (dn.toString().equals(mName.toString())) { CMS.debug("Found host authority"); foundHostAuthority = true; this.authorityID = aid; |