[Pki-users] Does AuthTokenSubjectNameDefault plugin derive SubjectName incorrectly?

Bob Lord bob.lord at gmail.com
Thu May 22 15:44:50 UTC 2008 

Hi Aleksander,

Can you file a bug report and include that patch as an attachment?  If you
need help, please let me know.

Regards,
-Bob


On Thu, May 22, 2008 at 7:14 AM, Aleksander Adamowski
<aleksander.adamowski.dogtag at altkom.pl> wrote:

> Hi!
>
> I've noticed that with out LDAP directory, using the caDirUserCert profile,
> we get incorrect SubjectNames - they aren't populated with requesting users'
> commonName (cn) or e-mail (LDAP "mail" -> x.509 "E").
>
> After closer inspection and brief analysis of Dogtag Certificate System's
> source code I've identified that the authTokenSubjectNameDefaultImpl plugin
> is responsible for this task and its implementation is in the
> AuthTokenSubjectNameDefault class (
> https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
> ).
>
> The problem seems to be in this code fragment (line 134):
>
> X500Name name = new X500Name(
>  request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
>
> The plug-in uses the $request.authenticatedname$ value from the request,
> which contains the authenticated user's DN. If the DN doesn't contain the cn
> and mail attribute, those attributed won't be propagated to resulting
> certificate's subject name.
>
> I think this plugin should use the $request.auth_token.tokencertsubject$
> value.
> After all, the UidPwdDiraAuth plugin's documentation (
> http://www.redhat.com/docs/manuals/cert-system/pdf/cms601plugin.pdf)
> implies that this value will be used to formulate the certificate's subject
> name:
>
> "dnpattern:     Specifies a string representing a subject name pattern to
> formulate from the
> directory attributes and entry DN."
>
> So the code should probably be change to something like this:
>
> Index: src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
> ===================================================================
> --- src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
> (revision 47)
> +++ src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
> (working copy)
> @@ -131,7 +131,7 @@
>        // to the certinfo
>        try {
>            X500Name name = new X500Name(
> -
>  request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
> +
>  request.getExtDataInAuthToken(AuthToken.TOKEN_CERT_SUBJECT));
>
>            info.set(X509CertInfo.SUBJECT, new
> CertificateSubjectName(name));
>        } catch (Exception e) {
>
>
> (note: I didn't test whether it works, I'd have to check out the whole
> >130MB SVN repository and set up the complex Dogtag build infrastructure for
> this...)
>
> What you think?
>
> --
> Best Regards,
>   Aleksander Adamowski
>       GG#: 274614
>       ICQ UIN: 19780575        http://olo.org.pl
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20080522/01d00445/attachment.htm>

More information about the Pki-users mailing list