9:14 a.m.
Hi!
I've noticed that with out LDAP directory, using the caDirUserCert
profile, we get incorrect SubjectNames - they aren't populated with
requesting users' commonName (cn) or e-mail (LDAP "mail" -> x.509
"E").
After closer inspection and brief analysis of Dogtag Certificate
System's source code I've identified that the
authTokenSubjectNameDefaultImpl plugin is responsible for this task and
its implementation is in the AuthTokenSubjectNameDefault class
(https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netsc...).
The problem seems to be in this code fragment (line 134):
X500Name name = new X500Name(
request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
The plug-in uses the $request.authenticatedname$ value from the request,
which contains the authenticated user's DN. If the DN doesn't contain
the cn and mail attribute, those attributed won't be propagated to
resulting certificate's subject name.
I think this plugin should use the $request.auth_token.tokencertsubject$
value.
After all, the UidPwdDiraAuth plugin's documentation
(http://www.redhat.com/docs/manuals/cert-system/pdf/cms601plugin.pdf)
implies that this value will be used to formulate the certificate's
subject name:
"dnpattern: Specifies a string representing a subject name pattern
to formulate from the
directory attributes and entry DN."
So the code should probably be change to something like this:
Index: src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
===================================================================
--- src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
(revision 47)
+++ src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
(working copy)
@@ -131,7 +131,7 @@
// to the certinfo
try {
X500Name name = new X500Name(
-
request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
+
request.getExtDataInAuthToken(AuthToken.TOKEN_CERT_SUBJECT));
info.set(X509CertInfo.SUBJECT, new
CertificateSubjectName(name));
} catch (Exception e) {
(note: I didn't test whether it works, I'd have to check out the whole
130MB SVN repository and set up the complex Dogtag build
infrastructure for this...)
What you think?
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
10:44 a.m.
Hi Aleksander,
Can you file a bug report and include that patch as an attachment? If you
need help, please let me know.
Regards,
-Bob
On Thu, May 22, 2008 at 7:14 AM, Aleksander Adamowski
<aleksander.adamowski.dogtag(a)altkom.pl> wrote:
Hi!
I've noticed that with out LDAP directory, using the caDirUserCert profile,
we get incorrect SubjectNames - they aren't populated with requesting users'
commonName (cn) or e-mail (LDAP "mail" -> x.509 "E").
After closer inspection and brief analysis of Dogtag Certificate System's
source code I've identified that the authTokenSubjectNameDefaultImpl plugin
is responsible for this task and its implementation is in the
AuthTokenSubjectNameDefault class (
https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netsc...
).
The problem seems to be in this code fragment (line 134):
X500Name name = new X500Name(
request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
The plug-in uses the $request.authenticatedname$ value from the request,
which contains the authenticated user's DN. If the DN doesn't contain the cn
and mail attribute, those attributed won't be propagated to resulting
certificate's subject name.
I think this plugin should use the $request.auth_token.tokencertsubject$
value.
After all, the UidPwdDiraAuth plugin's documentation (
http://www.redhat.com/docs/manuals/cert-system/pdf/cms601plugin.pdf)
implies that this value will be used to formulate the certificate's subject
name:
"dnpattern: Specifies a string representing a subject name pattern to
formulate from the
directory attributes and entry DN."
So the code should probably be change to something like this:
Index: src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
===================================================================
--- src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
(revision 47)
+++ src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
(working copy)
@@ -131,7 +131,7 @@
// to the certinfo
try {
X500Name name = new X500Name(
-
request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
+
request.getExtDataInAuthToken(AuthToken.TOKEN_CERT_SUBJECT));
info.set(X509CertInfo.SUBJECT, new
CertificateSubjectName(name));
} catch (Exception e) {
(note: I didn't test whether it works, I'd have to check out the whole
>130MB SVN repository and set up the complex Dogtag build infrastructure for
this...)
What you think?
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575 http://olo.org.pl
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
5:32 a.m.
Bob Lord wrote:
Hi Aleksander,
Can you file a bug report and include that patch as an attachment?
Sure:
https://bugzilla.redhat.com/show_bug.cgi?id=448005
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
9:27 a.m.
New subject: Does AuthTokenSubjectNameDefault plugin derive SubjectName incorrectly?
Aleksander Adamowski wrote:
Just for the record, I've made a patch that actually works and has been
tested for your testing pleasure, it's attached in the Bugzilla bug and
I'm attaching it here just in case.
There's one gotcha: since with this patch applied the subjectName
generation started working properly, the old default configuration for
certificate profiles will reject the certificates because they expect
the incorrect subject name (userDN - based).
Now you'll have to customise the LDAP-based certificate profiles to
accomodate this - notably the "Subject Name Constraint".
Dogtag's default profile had the following subject name constraint pattern:
UID=.*
While the subjectNames generated by UidPwdDirAuth plugin looks more like
this by default: "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c" so they
won't ever match the constraint's pattern since they cannot possibly
begin with "UID=".
In my configuration, I've changed the pattern to this and then the new
LDAP-based subject names got accepted:
.*CN=.*
So in short, my caDirUserCert.cfg has the following now:
...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=.*CN=.*
policyset.userCertSet.1.constraint.params.accept=true
...
instead of the official default:
...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=UID=.*
policyset.userCertSet.1.constraint.params.accept=true
...
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
6056
days inactive
6057
days old
3 comments
2 participants
participants (2)
-
Aleksander Adamowski -
Bob Lord