Re: [Pki-users] Rewrite of Subject in profile
Hello,
With the Subject Name Constraint you can tweak the components to build
the subject DN, and do some pattern matching to select them to re-write
the subject DN, but you cannot really modify parts of the values of
those components.
I don't think you can match and accept a string with \x00 and then
selectively remove the \x00 or any specific string, once it is matched,
it is accepted, it is flexible but "basic".
The design of the name constraint was for matching string on components,
so that would be a request for enhancement for more regexp support.
Ideally the client should be fixed to do the right thing.
But if not possible, one solution may be to take the existing
SubjectNameConstraint plug-in and use it as a base to write a custom
one, from:
base/server/cms/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java
Should Dogtag have another name constraint plug-in to validate the
inputs to not accept \x00 or strip some strings before reaching the
NameConstraintsExt, plug-in?
Thanks,
M.
On 02/25/2016 12:25 AM, Supper Florian OSS sIT wrote:
Hi and good morning.
I get some request from mobile devices which are very poor.
Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00
With this subject name, it is not possible to enroll a certificate,
because of the “ \x00” at the end..
So i’m compelled to rewrite the Subject name. In the first way I only
want to remove the “\x00” characters from CN.
I’ve tried some pattern and configs, but it doesn’t work.
Does one of you knows how this could work?
policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
policyset.cmcUserCertSet.1.constraint.params.accept=true
policyset.cmcUserCertSet.1.constraint.params.pattern=.*
policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.cmcUserCertSet.1.default.name=Subject Name Default
policyset.cmcUserCertSet.1.default.params.name=.*CN=……………………………..
In the second way, i want to set the whole subject like this below.
But I want to use the CN which comes in the csr.
Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT,
CN=mycn.example.com /emailAddress=pki-AT-example.com
Thanks for your help.
BR
Florian
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
Attachments:
- attachment.html (text/html — 5.1 KB)