On 07/14/2016 03:02 PM, Geetika Kapoor wrote: > > On 07/14/2016 01:53 PM, Fraser Tweedale wrote: >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: >>> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: >>>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote: >>>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote: >>>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Please review this patch.Below is a small summary about this fix and >>>>>>> what we are trying to achieve. >>>>>>> >>>>>>> CLI : pki-server db-upgrade >>>>>>> >>>>>>> what it should be doing is if it sees that issuerName doesn't exist,NULL >>>>>>> it will add it itself. >>>>>>> >>>>>>> Operation 1 : Search for the empty cn value for issuerName >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I >>>>>>> tried this it didn't show data even if i have record with empty >>>>>>> issuerName >>>>>>> >>>>>> Hi Geetika, >>>>>> >>>>>> The current filter is actually: >>>>>> >>>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))', >>>>>> >>>>>> This should match entries missing the issuerName attribute. You >>>>>> talk about an entry with "empty issuerName" but empty strings are >>>>>> not allowed for the Directory String attribute type. Could you >>>>>> please clarify exactly what data is in the offending entry/entries >>>>>> and how it got there? >>>>> Hi Fraser, >>>>> >>>>> If we disable syntax check in ldap dse.ldif , it will accept empty >>>>> data as well.So if a end user disable syntax check,issuerName can be >>>>> empty in that case.(a test case that i tried) >>>>> So in that case db-update will never happen because that condition is >>>>> not considered.This scenario can be reproduced using below ldif file. >>>>> >>>>> <file> >>>>> >>>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA >>>>> objectClass: certificateRecord >>>>> objectClass: top >>>>> cn: 106 >>>>> algorithmId: 1.2.840.113549.1.1.1 >>>>> autoRenew: ENABLED >>>>> certStatus: VALID >>>>> dateOfCreate: 20160712084443Z >>>>> dateOfModify: 20160712084443Z >>>>> duration: 1131536000000 >>>>> issuedBy: geetika20 >>>>> *issuerName: * >>>>> metaInfo: requestId:100 >>>>> notAfter: 20170712084205Z >>>>> notBefore: 20160712084205Z >>>>> publicKeyData:: >>>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq >>>>> serialno: 100 >>>>> signingAlgorithmId: 1.2.840.113549.1.1.11 >>>>> subjectName: CN=CS Administrator,C=US >>>>> userCertificate;binary:: >>>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY >>>>> version: 2 >>>>> >>>>> </file> >>>>> >>>>> So in such a case using >>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to >>>>> search for such entries.I tried and it gives me empty data .I believe >>>>> using (&(objectclass=certificateRecord) >>>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. >>>>> >>>>> Thanks >>>>> Geetika >>>> Hi Frazer, >>>> >>>> I just did one quick round of testing .If we have >>>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in >>>> both cases : >>>> >>>> 1. When issuerName doesn't exist. >>>> 2. When issuserName field exist but has empty value. >>>> >>>> Thanks >>>> Geetika >>>> >>> I still disagree that it is the right approach, because it may do >>> unnecessary work for records that already have an issuerName that >>> does not start with "cn". >>> >>> Is it even necessary to support cases where customer has disabled >>> syntax checking? Nevertheless, let me disable syntax checking on >>> one of my instances and see if I can find a better filter. >>> >> Please try this filter: >> >> (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=))) >> >> It will find only certificates with missing or empty issuername >> attribute. Does it work as expected for you, Geetika? > Let me try Frazer.. > > Thanks Yes that works for both test cases. >>>>>>> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- >>>>>>> This solves the purpose as it shows all the certs without issuerName >>>>>>> >>>>>> This filter is wrong - it does match entries without issuerName (as >>>>>> intended), but also matches entries with issuerName set but not >>>>>> starting with "cn". >>>>>> >>>>>>> Operation 2 : If we see a empty cn value , we are replacing it with >>>>>>> value we get from code >>>>>>> ------------------------------------------------------------------------------------------------------------------ >>>>>>> < code> >>>>>>> >>>>>>> cert = nss.Certificate(bytearray(attr_cert[0])) >>>>>>> issuer_name = str(cert.issuer) >>>>>>> >>>>>>> </code> >>>>>>> >>>>>>> Current : we are updating the list it the format as mentioned >>>>>>> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security >>>>>>> Domain'] >>>>>>> >>>>>>> Do we want to keep this behavior or we want to overwrite it in first >>>>>>> place? I believe in place of we do it MOD_REPLACE. >>>>>>> >>>>>>> <try: >>>>>>> conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', >>>>>>> issuer_name)]) >>>>>>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', >>>>>>> issuer_name)]) >>>>>>> >>>>>> This change is OK. > _______________________________________________ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel