Currently we abort adding a lightweight CA if its entry does not have an 'entryUSN' attribute, and log a failure, even if the USN plugin is enabled. But if the plugin is enabled, it's fine to proceed.
Update the authority monitor to check if the USN plugin is enabled and only log the failure if it is not. Clarify the log message accordingly.
This scenario also results in an additional authority entry for the host CA being added, because the skip due to entryUSN processing makes it seem that there is no entry for the host authority.
Per PKI Bug Council of 08/31/2016: 10.3.6
Checked into master:
commit e457cb8367f39562a844229ddb9da9c3a46d9611
Author: Fraser Tweedale <ftweedal@redhat.com> Date: Wed Aug 24 14:10:55 2016 +1000 Perform host authority check before entryUSN check When processing lightweight CAs, currently we perform the entryUSN check before the host authority check. If the entry does not have an entryUSN attribute, and if the DS USN plugin is not enabled, the entry gets skipped and we do not reach the host authority check. This causes the CA to believe that it has not seen the host authority entry, and results in additional entries being added. Move the host authority check before the entryUSN check to avoid this scenario. Fixes: https://fedorahosted.org/pki/ticket/2444
commit d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe
Author: Fraser Tweedale <frase@frase.id.au> Date: Tue Aug 23 14:50:03 2016 +1000 Accept LWCA entry with missing entryUSN if plugin enabled Currently we abort adding a lightweight CA if its entry does not have an 'entryUSN' attribute, and log a failure, even if the USN plugin is enabled. But if the plugin is enabled, it's fine to proceed. Update the authority monitor to check if the USN plugin is enabled and only log the failure if it is not. Clarify the log message accordingly. Part of: https://fedorahosted.org/pki/ticket/2444
Cherry-picked into DOGTAG_10_3_BRANCH:
From 3a97c5fc0df7015a7e19236778089c67441a1499 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale ftweedal@redhat.com Date: Wed, 24 Aug 2016 14:10:55 +1000 Subject: [PATCH 08/10] Perform host authority check before entryUSN check
When processing lightweight CAs, currently we perform the entryUSN check before the host authority check. If the entry does not have an entryUSN attribute, and if the DS USN plugin is not enabled, the entry gets skipped and we do not reach the host authority check. This causes the CA to believe that it has not seen the host authority entry, and results in additional entries being added.
Move the host authority check before the entryUSN check to avoid this scenario.
Fixes: https://fedorahosted.org/pki/ticket/2444 (cherry picked from commit e457cb8367f39562a844229ddb9da9c3a46d9611)
From 21e268ae6d5f9c2f93d4d80a6285e453974b5c07 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale frase@frase.id.au Date: Tue, 23 Aug 2016 14:50:03 +1000 Subject: [PATCH 07/10] Accept LWCA entry with missing entryUSN if plugin enabled
Part of: https://fedorahosted.org/pki/ticket/2444
(cherry picked from commit d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe)
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: 10.3.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2564
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.