Hi all,

Please review the attached patch, which fixes
https://fedorahosted.org/pki/ticket/2301.

Cheers,
Fraser
From f912026913a93e40d1e06ba93f873b621feffbc6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 27 Apr 2016 13:35:41 +1000
Subject: [PATCH] Fix NSSDB certificate search method

'getX509CertFromToken' erroneously compares Issuer DN of given cert
with Subject DNs of cert in NSSDB.  It falsely returns the parent of
the target cert, if the certs have the same serial number.

In the context of how this method is used, it causes the deletion of
an external CA certificate from the NSSDB if the serial numbers
match, and subsequent certificate verification failure when
connecting to LDAP.

Update the method to check the Issuer DN.

Fixes: https://fedorahosted.org/pki/ticket/2301
---
 .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git 
a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java 
b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 
8c353f0c7af47772af7fe3aab371fdf1ec0a6f29..c0f0ce1f405dd63232f1be6c15f8bd8d1a8d3c4b
 100644
--- 
a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ 
b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -1168,7 +1168,7 @@ public class ConfigurationUtils {
         CryptoManager cm = CryptoManager.getInstance();
         X509Certificate[] permcerts = cm.getPermCerts();
         for (int i = 0; i < permcerts.length; i++) {
-            String issuer_p = permcerts[i].getSubjectDN().toString();
+            String issuer_p = permcerts[i].getIssuerDN().toString();
             BigInteger serial_p = permcerts[i].getSerialNumber();
             if (issuer_p.equals(issuer_impl) && 
serial_p.compareTo(serial_impl) == 0) {
                 return permcerts[i];
-- 
2.5.5

_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Reply via email to