[Pki-users] Does AuthTokenSubjectNameDefault plugin derive SubjectName incorrectly?
Aleksander Adamowski
aleksander.adamowski.dogtag at altkom.pl
Fri May 23 14:27:13 UTC 2008
Aleksander Adamowski wrote:
> Sure:
> https://bugzilla.redhat.com/show_bug.cgi?id=448005
Just for the record, I've made a patch that actually works and has been
tested for your testing pleasure, it's attached in the Bugzilla bug and
I'm attaching it here just in case.
There's one gotcha: since with this patch applied the subjectName
generation started working properly, the old default configuration for
certificate profiles will reject the certificates because they expect
the incorrect subject name (userDN - based).
Now you'll have to customise the LDAP-based certificate profiles to
accomodate this - notably the "Subject Name Constraint".
Dogtag's default profile had the following subject name constraint pattern:
UID=.*
While the subjectNames generated by UidPwdDirAuth plugin looks more like
this by default: "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c" so they
won't ever match the constraint's pattern since they cannot possibly
begin with "UID=".
In my configuration, I've changed the pattern to this and then the new
LDAP-based subject names got accepted:
.*CN=.*
So in short, my caDirUserCert.cfg has the following now:
...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=.*CN=.*
policyset.userCertSet.1.constraint.params.accept=true
...
instead of the official default:
...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=UID=.*
policyset.userCertSet.1.constraint.params.accept=true
...
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AuthTokenSubjectNameDefault-fix2.patch
Type: text/x-diff
Size: 2202 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20080523/c19f3488/attachment.bin>
More information about the Pki-users
mailing list