From bd7606fc9f2f7349ab33c0d9629667533a4fa7cd Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 22 Sep 2016 12:00:35 +1000 Subject: [PATCH] Compare serialised DNs in host authority check CA startup creates an LWCA entry for the host authority if it determines that one has not already been created. It determines if an LWCA entry corresponds to the host CA by comparing the DN from LDAP with the DN from the host authority's certificate. If the DN from the host authority's certificate contains values encoded as PrintableString, it will compare unequal to the DN from LDAP, which parses to UTF8String AVA values. This causes the addition of a spurious host authority entry every time the server starts. Serialise DNs before comparing, to avoid these false negatives. Fixes: https://fedorahosted.org/pki/ticket/2475 (cherry picked from commit 84606cc69390187b7f0f11fff41a372fd96f8f93) --- base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index a4f1024..ae90d3a 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -3256,7 +3256,12 @@ public class CertificateAuthority if (descAttr != null) desc = (String) descAttr.getStringValues().nextElement(); - if (dn.equals(mName)) { + /* Determine if it is the host authority's entry, by + * comparing DNs. DNs must be serialised in case different + * encodings are used for AVA values, e.g. PrintableString + * from LDAP vs UTF8String in certificate. + */ + if (dn.toString().equals(mName.toString())) { CMS.debug("Found host authority"); foundHostAuthority = true; this.authorityID = aid; -- 1.8.3.1