Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to specify Path Length constraint while Issuing CA cert #3296

Open
pki-bot opened this issue Oct 3, 2020 · 2 comments
Open

Unable to specify Path Length constraint while Issuing CA cert #3296

pki-bot opened this issue Oct 3, 2020 · 2 comments

Comments

@pki-bot
Copy link

pki-bot commented Oct 3, 2020

This issue was migrated from Pagure Issue #3179. Originally filed by dmoluguw (@SilleBille) on 2020-06-15 18:42:57:

  • Assigned to nobody

Description

While issuing a CA cert, Path Length constraint accept only -1 value.

Steps to reproduce

  1. Spawn CA
  2. Submit certificate request pki -c Secret.123 client-cert-request "cn=test" --profile caCACert
  3. As agent, update the above request to specify the pathLen constraint :
# pki -d ~/.dogtag/pki-tomcat/ca/alias/ -n caadmin -c Secret.123 ca-cert-request-review 41 --file ca-cert-pathlen.crt
# vi ca-cert-pathlen.crt
# cat ca-cert-pathlen.crt
~snip~
 <policyAttribute name="basicConstraintsPathLen">
                    <Value>10</Value>
                    <Descriptor>
                        <Syntax>integer</Syntax>
                        <Description>Path Length</Description>
                        <DefaultValue>-1</DefaultValue>
                    </Descriptor>
                </policyAttribute>
~snip~
  1. Approve or update request
# pki -d ~/.dogtag/pki-tomcat/ca/alias/ -n caadmin -c Secret.123 ca-cert-request-approve 41 --input-file ca-cert-pathlen.crt 
BadRequestException: Request Max Path Length not matched Rejected - {1}
# pki -d ~/.dogtag/pki-tomcat/ca/alias/ -n caadmin -c Secret.123 ca-cert-request-update 41 --input-file ca-cert-pathlen.crt 
BadRequestException: Request Max Path Length not matched Rejected - {1}

PS: The same behavior is observed when updating/approving request via web UI

NOTE: The following constraint message is displayed on both Web UI and CLI

This constraint accepts the Basic Constraint extension, if present, only when Criticality=true, Is CA=true, Min Path Length=-1, Max Path Length=-1
@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2020-06-29 11:01:17

This seems to be working correctly after setting a positive value in CS.cfg..

However, -1 "logically" refers to unlimited but, the system does not accept a positive value. Since there is a workaround, lowering the priority

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2020-06-29 11:01:18

Metadata Update from @SilleBille:

  • Custom field component adjusted to None
  • Custom field feature adjusted to None
  • Custom field origin adjusted to None
  • Custom field proposedmilestone adjusted to None
  • Custom field proposedpriority adjusted to None
  • Custom field reviewer adjusted to None
  • Custom field type adjusted to None
  • Custom field version adjusted to None
  • Issue priority set to: minor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pki-bot