Re: [Pki-users] Does AuthTokenSubjectNameDefault plugin derive SubjectName incorrectly?
Hi Aleksander,
Can you file a bug report and include that patch as an attachment? If you
need help, please let me know.
Regards,
-Bob
On Thu, May 22, 2008 at 7:14 AM, Aleksander Adamowski
<aleksander.adamowski.dogtag(a)altkom.pl> wrote:
Hi!
I've noticed that with out LDAP directory, using the caDirUserCert profile,
we get incorrect SubjectNames - they aren't populated with requesting users'
commonName (cn) or e-mail (LDAP "mail" -> x.509 "E").
After closer inspection and brief analysis of Dogtag Certificate System's
source code I've identified that the authTokenSubjectNameDefaultImpl plugin
is responsible for this task and its implementation is in the
AuthTokenSubjectNameDefault class (
https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netsc...
).
The problem seems to be in this code fragment (line 134):
X500Name name = new X500Name(
request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
The plug-in uses the $request.authenticatedname$ value from the request,
which contains the authenticated user's DN. If the DN doesn't contain the cn
and mail attribute, those attributed won't be propagated to resulting
certificate's subject name.
I think this plugin should use the $request.auth_token.tokencertsubject$
value.
After all, the UidPwdDiraAuth plugin's documentation (
http://www.redhat.com/docs/manuals/cert-system/pdf/cms601plugin.pdf)
implies that this value will be used to formulate the certificate's subject
name:
"dnpattern: Specifies a string representing a subject name pattern to
formulate from the
directory attributes and entry DN."
So the code should probably be change to something like this:
Index: src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
===================================================================
--- src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
(revision 47)
+++ src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
(working copy)
@@ -131,7 +131,7 @@
// to the certinfo
try {
X500Name name = new X500Name(
-
request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
+
request.getExtDataInAuthToken(AuthToken.TOKEN_CERT_SUBJECT));
info.set(X509CertInfo.SUBJECT, new
CertificateSubjectName(name));
} catch (Exception e) {
(note: I didn't test whether it works, I'd have to check out the whole
>130MB SVN repository and set up the complex Dogtag build infrastructure for
this...)
What you think?
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575 http://olo.org.pl
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
Attachments:
- attachment.html (text/html — 4.0 KB)