2:25 a.m.
Hi and good morning.
I get some request from mobile devices which are very poor.
Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00
With this subject name, it is not possible to enroll a certificate, because of the "
\x00" at the end..
So i'm compelled to rewrite the Subject name. In the first way I only want to remove
the "\x00" characters from CN.
I've tried some pattern and configs, but it doesn't work.
Does one of you knows how this could work?
policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
policyset.cmcUserCertSet.1.constraint.params.accept=true
policyset.cmcUserCertSet.1.constraint.params.pattern=.*
policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.cmcUserCertSet.1.default.name=Subject Name Default
policyset.cmcUserCertSet.1.default.params.name=.*CN=...................................
In the second way, i want to set the whole subject like this below. But I want to use the
CN which comes in the csr.
Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=mycn.example.com
/emailAddress=pki-AT-example.com
Thanks for your help.
BR
Florian
1:23 p.m.
Hello,
With the Subject Name Constraint you can tweak the components to build
the subject DN, and do some pattern matching to select them to re-write
the subject DN, but you cannot really modify parts of the values of
those components.
I don't think you can match and accept a string with \x00 and then
selectively remove the \x00 or any specific string, once it is matched,
it is accepted, it is flexible but "basic".
The design of the name constraint was for matching string on components,
so that would be a request for enhancement for more regexp support.
Ideally the client should be fixed to do the right thing.
But if not possible, one solution may be to take the existing
SubjectNameConstraint plug-in and use it as a base to write a custom
one, from:
base/server/cms/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java
Should Dogtag have another name constraint plug-in to validate the
inputs to not accept \x00 or strip some strings before reaching the
NameConstraintsExt, plug-in?
Thanks,
M.
On 02/25/2016 12:25 AM, Supper Florian OSS sIT wrote:
Hi and good morning.
I get some request from mobile devices which are very poor.
Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00
With this subject name, it is not possible to enroll a certificate,
because of the “ \x00” at the end..
So i’m compelled to rewrite the Subject name. In the first way I only
want to remove the “\x00” characters from CN.
I’ve tried some pattern and configs, but it doesn’t work.
Does one of you knows how this could work?
policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
policyset.cmcUserCertSet.1.constraint.params.accept=true
policyset.cmcUserCertSet.1.constraint.params.pattern=.*
policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.cmcUserCertSet.1.default.name=Subject Name Default
policyset.cmcUserCertSet.1.default.params.name=.*CN=……………………………..
In the second way, i want to set the whole subject like this below.
But I want to use the CN which comes in the csr.
Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT,
CN=mycn.example.com /emailAddress=pki-AT-example.com
Thanks for your help.
BR
Florian
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
7:53 p.m.
On Thu, Feb 25, 2016 at 08:25:54AM +0000, Supper Florian OSS sIT wrote:
Hi and good morning.
I get some request from mobile devices which are very poor.
Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00
With this subject name, it is not possible to enroll a certificate, because of the "
\x00" at the end..
So i'm compelled to rewrite the Subject name. In the first way I only want to remove
the "\x00" characters from CN.
I've tried some pattern and configs, but it doesn't work.
Does one of you knows how this could work?
Florian,
The null byte at end of CN makes it an invalid CSR. I think it is
unlikely that a configuration change can redeem this request, but if
you provide an example CSR I will see where the request fails and
determine what, if anything, can be done right now.
For dealing with this in future it might be possible to add a
configurable to scrub null bytes from request DN values.
policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
policyset.cmcUserCertSet.1.constraint.params.accept=true
policyset.cmcUserCertSet.1.constraint.params.pattern=.*
policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.cmcUserCertSet.1.default.name=Subject Name Default
policyset.cmcUserCertSet.1.default.params.name=.*CN=...................................
In the second way, i want to set the whole subject like this below. But I want to use the
CN which comes in the csr.
Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=mycn.example.com
/emailAddress=pki-AT-example.com
The config you want here is:
policyset.cmcUserCertSet.1.default.params.name=C=AT, ST=Vienna, L=Vienna, O=My Company
GmbH, OU=MYORGUNIT, CN=$request.req_subject_name$, E=pki-AT-example.com
Cheers,
Fraser
3183
days inactive
3222
days old
2 comments
3 participants
participants (3)
-
Fraser Tweedale -
Marc Sauton -
Supper Florian OSS sIT