Compare serialised DNs in host authority check

CA startup creates an LWCA entry for the host authority if it
determines that one has not already been created.  It determines if
an LWCA entry corresponds to the host CA by comparing the DN from
LDAP with the DN from the host authority's certificate.

If the DN from the host authority's certificate contains values
encoded as PrintableString, it will compare unequal to the DN from
LDAP, which parses to UTF8String AVA values.  This causes the
addition of a spurious host authority entry every time the server
starts.

Serialise DNs before comparing, to avoid these false negatives.

Fixes: https://fedorahosted.org/pki/ticket/2475

1 files changed, 6 insertions, 1 deletions

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index a4f102435..ae90d3ac1 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -3256,7 +3256,12 @@ public class CertificateAuthority
         if (descAttr != null)
             desc = (String) descAttr.getStringValues().nextElement();
 
-        if (dn.equals(mName)) {
+        /* Determine if it is the host authority's entry, by
+         * comparing DNs.  DNs must be serialised in case different
+         * encodings are used for AVA values, e.g. PrintableString
+         * from LDAP vs UTF8String in certificate.
+         */
+        if (dn.toString().equals(mName.toString())) {
             CMS.debug("Found host authority");
             foundHostAuthority = true;
             this.authorityID = aid;