Hello,
With the Subject Name Constraint you can tweak the components to build the subject DN, and do some pattern matching to select them to re-write the subject DN, but you cannot really modify parts of the values of those components.
I don't think you can match and accept a string with \x00 and then selectively remove the \x00 or any specific string, once it is matched, it is accepted, it is flexible but "basic".
The design of the name constraint was for matching string on components, so that would be a request for enhancement for more regexp support.
Ideally the client should be fixed to do the right thing.
But if not possible, one solution may be to take the existing SubjectNameConstraint plug-in and use it as a base to write a custom one, from:
base/server/cms/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java
Should Dogtag have another name constraint plug-in to validate the inputs to not accept \x00 or strip some strings before reaching the NameConstraintsExt, plug-in?
Thanks,
M.

On 02/25/2016 12:25 AM, Supper Florian OSS sIT wrote:

Hi and good morning.

 

I get some request from mobile devices which are very poor.

 

Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00

 

With this subject name, it is not possible to enroll a certificate, because of the “ \x00” at the end..

 

So i’m  compelled to rewrite the Subject name. In the first way I only want to remove the “\x00” characters from CN.

I’ve tried some pattern and configs, but it doesn’t work.

Does one of you knows how this could work?

 

policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl

policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint

policyset.cmcUserCertSet.1.constraint.params.accept=true

policyset.cmcUserCertSet.1.constraint.params.pattern=.*

policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl

policyset.cmcUserCertSet.1.default.name=Subject Name Default

policyset.cmcUserCertSet.1.default.params.name=.*CN=……………………………..

 

In the second way, i want to set the whole subject like this below. But I want to use the CN which comes in the csr.

Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=mycn.example.com /emailAddress=pki-AT-example.com

 

 

Thanks for your help.

 

BR

Florian



_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users