Hi Aleksander,

Can you file a bug report and include that patch as an attachment?  If you need help, please let me know.

Regards,
-Bob


On Thu, May 22, 2008 at 7:14 AM, Aleksander Adamowski <aleksander.adamowski.dogtag@altkom.pl> wrote:
Hi!

I've noticed that with out LDAP directory, using the caDirUserCert profile, we get incorrect SubjectNames - they aren't populated with requesting users' commonName (cn) or e-mail (LDAP "mail" -> x.509 "E").

After closer inspection and brief analysis of Dogtag Certificate System's source code I've identified that the authTokenSubjectNameDefaultImpl plugin is responsible for this task and its implementation is in the AuthTokenSubjectNameDefault class (https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java).

The problem seems to be in this code fragment (line 134):

X500Name name = new X500Name(
 request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));

The plug-in uses the $request.authenticatedname$ value from the request, which contains the authenticated user's DN. If the DN doesn't contain the cn and mail attribute, those attributed won't be propagated to resulting certificate's subject name.

I think this plugin should use the $request.auth_token.tokencertsubject$ value.
After all, the UidPwdDiraAuth plugin's documentation (http://www.redhat.com/docs/manuals/cert-system/pdf/cms601plugin.pdf) implies that this value will be used to formulate the certificate's subject name:

"dnpattern:     Specifies a string representing a subject name pattern to formulate from the
directory attributes and entry DN."

So the code should probably be change to something like this:

Index: src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
===================================================================
--- src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java   (revision 47)
+++ src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java   (working copy)
@@ -131,7 +131,7 @@
       // to the certinfo
       try {
           X500Name name = new X500Name(
-                    request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
+                    request.getExtDataInAuthToken(AuthToken.TOKEN_CERT_SUBJECT));

           info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name));
       } catch (Exception e) {


(note: I didn't test whether it works, I'd have to check out the whole >130MB SVN repository and set up the complex Dogtag build infrastructure for this...)

What you think?

--
Best Regards,
  Aleksander Adamowski
      GG#: 274614
      ICQ UIN: 19780575        http://olo.org.pl

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users