From bd7606fc9f2f7349ab33c0d9629667533a4fa7cd Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 22 Sep 2016 12:00:35 +1000
Subject: [PATCH] Compare serialised DNs in host authority check

CA startup creates an LWCA entry for the host authority if it
determines that one has not already been created.  It determines if
an LWCA entry corresponds to the host CA by comparing the DN from
LDAP with the DN from the host authority's certificate.

If the DN from the host authority's certificate contains values
encoded as PrintableString, it will compare unequal to the DN from
LDAP, which parses to UTF8String AVA values.  This causes the
addition of a spurious host authority entry every time the server
starts.

Serialise DNs before comparing, to avoid these false negatives.

Fixes: https://fedorahosted.org/pki/ticket/2475
(cherry picked from commit 84606cc69390187b7f0f11fff41a372fd96f8f93)
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index a4f1024..ae90d3a 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -3256,7 +3256,12 @@ public class CertificateAuthority
         if (descAttr != null)
             desc = (String) descAttr.getStringValues().nextElement();
 
-        if (dn.equals(mName)) {
+        /* Determine if it is the host authority's entry, by
+         * comparing DNs.  DNs must be serialised in case different
+         * encodings are used for AVA values, e.g. PrintableString
+         * from LDAP vs UTF8String in certificate.
+         */
+        if (dn.toString().equals(mName.toString())) {
             CMS.debug("Found host authority");
             foundHostAuthority = true;
             this.authorityID = aid;
-- 
1.8.3.1