[Pki-users] Does AuthTokenSubjectNameDefault plugin derive SubjectName incorrectly?

Aleksander Adamowski aleksander.adamowski.dogtag at altkom.pl
Fri May 23 14:27:13 UTC 2008 

Aleksander Adamowski wrote:
> Sure:
> https://bugzilla.redhat.com/show_bug.cgi?id=448005

Just for the record, I've made a patch that actually works and has been 
tested for your testing pleasure, it's attached in the Bugzilla bug and 
I'm attaching it here just in case.

There's one gotcha: since with this patch applied the subjectName 
generation started working properly, the old default configuration for 
certificate profiles will reject the certificates because they expect 
the incorrect subject name (userDN - based).

Now  you'll have to customise the LDAP-based certificate profiles to 
accomodate this - notably the "Subject Name Constraint".

Dogtag's default profile had the following subject name constraint pattern:

UID=.*

While the subjectNames generated by UidPwdDirAuth plugin looks more like 
this by default: "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c" so they 
won't ever match the constraint's pattern since they cannot possibly 
begin with "UID=".

In my configuration, I've changed the pattern to this and then the new 
LDAP-based subject names got accepted:

.*CN=.*


So in short, my caDirUserCert.cfg has the following now:

...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=.*CN=.*
policyset.userCertSet.1.constraint.params.accept=true
...

instead of the official default:

...
policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.userCertSet.1.constraint.name=Subject Name Constraint
policyset.userCertSet.1.constraint.params.pattern=UID=.*
policyset.userCertSet.1.constraint.params.accept=true
...


-- 
Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575 
	http://olo.org.pl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: AuthTokenSubjectNameDefault-fix2.patch
Type: text/x-diff
Size: 2202 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20080523/c19f3488/attachment.bin>

More information about the Pki-users mailing list