I had to reopen https://pagure.io/dogtagpki/issue/2618 Allow CA to
process pre-signed CMC renewal non-signing cert requests
due to an issue in UniqueKeyConstraint.java where subjectDN comparison
was not 100% correct.
This patch makes sure that the comparison is done at Object level so
eliminates room for error.
thanks,
Christina
>From 2d69d9332eea7ddc5205dc9e44d15452be4be61f Mon Sep 17 00:00:00 2001
From: Christina Fu <c...@redhat.com>
Date: Tue, 20 Jun 2017 15:04:12 -0700
Subject: [PATCH] Ticket #2618 UniqueKeyConstraint fix on subjectDN comparison
---
.../com/netscape/cms/profile/constraint/UniqueKeyConstraint.java | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
index 030995a..2614576 100644
--- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
@@ -240,11 +240,7 @@ public class UniqueKeyConstraint extends EnrollConstraint {
}
// only VALID or EXPIRED certs could have reached here
X509CertImpl origCert = rec.getCertificate();
- String certDN =
- origCert.getSubjectDN().toString();
- CMS.debug(method + " cert retrieved from ldap has subject DN =" + certDN);
-
- sjname_in_db = new X500Name(certDN);
+ sjname_in_db = (X500Name) origCert.getSubjectDN();
if (sjname_in_db.equals(sjname_in_req) == false) {
msg = msg + "subject name not match in same key renewal;";
--
2.7.4
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
