From 970fcc3b14f3a3fd5579aaa0259d289d82cff13d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 27 Apr 2016 13:35:41 +1000 Subject: Fix NSSDB certificate search method 'getX509CertFromToken' erroneously compares Issuer DN of given cert with Subject DNs of cert in NSSDB. It falsely returns the parent of the target cert, if the certs have the same serial number. In the context of how this method is used, it causes the deletion of an external CA certificate from the NSSDB if the serial numbers match, and subsequent certificate verification failure when connecting to LDAP. Update the method to check the Issuer DN. Fixes: https://fedorahosted.org/pki/ticket/2301 --- .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'base/server/cms/src/com') diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 8c353f0c7..c0f0ce1f4 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -1168,7 +1168,7 @@ public class ConfigurationUtils { CryptoManager cm = CryptoManager.getInstance(); X509Certificate[] permcerts = cm.getPermCerts(); for (int i = 0; i < permcerts.length; i++) { - String issuer_p = permcerts[i].getSubjectDN().toString(); + String issuer_p = permcerts[i].getIssuerDN().toString(); BigInteger serial_p = permcerts[i].getSerialNumber(); if (issuer_p.equals(issuer_impl) && serial_p.compareTo(serial_impl) == 0) { return permcerts[i]; -- cgit