Unable to specify Path Length constraint while Issuing CA cert

[pki-bot]

This issue was migrated from Pagure Issue #3179. Originally filed by dmoluguw (@SilleBille) on 2020-06-15 18:42:57:

• Assigned to nobody

---

Description

While issuing a CA cert, Path Length constraint accept only -1 value.

Steps to reproduce

1) Spawn CA 2) Submit certificate request pki -c Secret.123 client-cert-request "cn=test" --profile caCACert 3) As agent, update the above request to specify the pathLen constraint :

# pki -d ~/.dogtag/pki-tomcat/ca/alias/ -n caadmin -c Secret.123 ca-cert-request-review 41 --file ca-cert-pathlen.crt
# vi ca-cert-pathlen.crt
# cat ca-cert-pathlen.crt
~snip~
 <policyAttribute name="basicConstraintsPathLen">
                    <Value>10</Value>
                    <Descriptor>
                        <Syntax>integer</Syntax>
                        <Description>Path Length</Description>
                        <DefaultValue>-1</DefaultValue>
                    </Descriptor>
                </policyAttribute>
~snip~

4) Approve or update request

# pki -d ~/.dogtag/pki-tomcat/ca/alias/ -n caadmin -c Secret.123 ca-cert-request-approve 41 --input-file ca-cert-pathlen.crt 
BadRequestException: Request Max Path Length not matched Rejected - {1}
# pki -d ~/.dogtag/pki-tomcat/ca/alias/ -n caadmin -c Secret.123 ca-cert-request-update 41 --input-file ca-cert-pathlen.crt 
BadRequestException: Request Max Path Length not matched Rejected - {1}

PS: The same behavior is observed when updating/approving request via web UI

NOTE: The following constraint message is displayed on both Web UI and CLI

This constraint accepts the Basic Constraint extension, if present, only when Criticality=true, Is CA=true, Min Path Length=-1, Max Path Length=-1 

[pki-bot]

Comment from dmoluguw (@SilleBille) at 2020-06-29 11:01:17

This seems to be working correctly after setting a positive value in CS.cfg..

However, -1 "logically" refers to unlimited but, the system does not accept a positive value. Since there is a workaround, lowering the priority

[pki-bot]

Comment from dmoluguw (@SilleBille) at 2020-06-29 11:01:18

Metadata Update from @SilleBille:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None
• Issue priority set to: minor