Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

On 02/01/2017 12:25 AM, Fraser Tweedale wrote: > Hi all, > > The attached patches implement the long-desired feature to copy CN > to SubjectAltName (https://fedorahosted.org/pki/ticket/1710). > > I've also pushed the branch to my GitHub repo; feel free to review > the patches there: > https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san > > Thanks, > Fraser > > > _______________________________________________ > Pki-devel mailing list > Pki-devel(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel Fraser, In order to review this patch, I am going to apply it and make a scratch build of Dogtag 10.2.6 on RHEL 7.2 so that Red Hat IT can test it out for us. If they give us their approval, you can consider yourself granted an ACK on this patch and check it into master so that I can cherry-pick it into the 10.3 branches. -- Matt P. S. - FYI, the following conversation took place on #cs today: <mharmsen> dminnich,walrus: ftweedal has released a patch for https://fedorahosted.org/pki/ticket/1710 - Add profile component that copies CN to SAN -- if I applied that patch to a 10.3.3 pki-core for RHEL 7.3, could you guys test it out, or in order to test it out, do you need a scratch build of Dogtag 10.2.6 on RHEL 7.2 like last time? <walrus> mharmsen: having a scratch build of 7.2 would be quickest <walrus> we are just now planning the 7.3 upgrade, which will take some time to get into dev <mharmsen> walrus: okay, I can try to see if I can do that, but remember that we will not deliver an official RHEL 7.2 build of RHCS 9.1 <walrus> yeah we should be on 7.3 in a month or so... a lot of things to test on a lot of servers :) <walrus> csnell|wfh: ^^^ <mharmsen> walrus: completely understood! LOL <dminnich> mharmsen: that will be a very welcome patch <dminnich> mharmsen: do you happen to know if ACLs work against SANs? <mharmsen> dminnich: not off the top of my head <mharmsen> edewata, cfu, jmagne: ^^^? <dminnich> that is something on our to investigate list as well <mharmsen> dminnich: I am going to drop an email to ftweedal, and I will ask that question <edewata> mharmsen: no idea about SAN <jmagne> mharmsen, don't know <cfu> dminnich, mharmsen , what does that mean? <dminnich> cfu: right now we allow only people in LDAP group X to issue certs for domains that meet Y regex. but we don't check SANs. so somebody could CN=blah.devlab.com and get approved but add a SAN for www.redhat.com and we don't deny it <edewata> dminnich: where is X & Y defined? <dminnich> https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/te... https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/te... <dminnich> edewata: ^ some of that might be added by puppet later. but thats the gist <edewata> dminnich: ok, it's in profile, not ACL <dminnich> authz.acl=group and constraints <cfu> dminnich, dminnich ah, I see. so it's like a pattern constraint just like what we have for subject name now in the profile. Yeah, you can write a constraint plugin for that <cfu> dminnich, anyway, feel free to file a ticket for it. <dminnich> cfu: will do