Workaround for certmonger's "Subject" representations

If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.

The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Stanislav Laznicka 2017-01-27 08:58:00 +01:00 committed by Jan Cholasta
parent 76e8d7b35d
commit 595f9b64e3
2 changed files with 16 additions and 1 deletions

View File

@ -35,6 +35,9 @@ import base64
import contextlib
import json
from cryptography import x509 as crypto_x509
from cryptography.hazmat.backends import default_backend
import six
from ipapython import ipautil
@ -64,8 +67,15 @@ if six.PY3:
IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
def get_nickname():
subject = os.environ.get('CERTMONGER_REQ_SUBJECT')
# we need to get the subject from a CSR in case we are requesting
# an OpenSSL certificate for which we have to reverse the order of its DN
# components thus changing the CERTMONGER_REQ_SUBJECT
# https://pagure.io/certmonger/issue/62
csr = os.environ.get('CERTMONGER_CSR')
csr_obj = crypto_x509.load_pem_x509_csr(csr, default_backend())
subject = csr_obj.subject
if not subject:
return None

View File

@ -32,6 +32,7 @@ import subprocess
import tempfile
from ipalib import api
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
from ipaplatform.paths import paths
from ipaplatform import services
@ -329,6 +330,10 @@ def request_cert(
"""
if storage == 'FILE':
certfile, keyfile = certpath
# This is a workaround for certmonger having different Subject
# representation with NSS and OpenSSL
# https://pagure.io/certmonger/issue/62
subject = str(DN(*reversed(DN(subject))))
else:
certfile = certpath
keyfile = certpath