IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Workaround for certmonger's "Subject" representations

Browse Source 
If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.

The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Stanislav Laznicka 2017-01-27 08:58:00 +01:00 committed by Jan Cholasta
parent 76e8d7b35d
commit 595f9b64e3
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
install/certmonger/dogtag-ipa-ca-renew-agent-submit
View File

@ -35,6 +35,9 @@ import base64
import contextlib import contextlib
import json import json
from cryptography import x509 as crypto_x509
from cryptography.hazmat.backends import default_backend
import six import six
from ipapython import ipautil from ipapython import ipautil
@ -64,8 +67,15 @@ if six.PY3:
IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
def get_nickname(): def get_nickname():
subject = os.environ.get('CERTMONGER_REQ_SUBJECT') # we need to get the subject from a CSR in case we are requesting
# an OpenSSL certificate for which we have to reverse the order of its DN
# components thus changing the CERTMONGER_REQ_SUBJECT
# https://pagure.io/certmonger/issue/62
csr = os.environ.get('CERTMONGER_CSR')
csr_obj = crypto_x509.load_pem_x509_csr(csr, default_backend())
subject = csr_obj.subject
if not subject: if not subject:
return None return None

5
ipalib/install/certmonger.py
View File

@ -32,6 +32,7 @@ import subprocess
import tempfile import tempfile
from ipalib import api from ipalib import api
from ipapython.ipa_log_manager import root_logger from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipaplatform import services from ipaplatform import services
@ -329,6 +330,10 @@ def request_cert(
""" """
if storage == 'FILE': if storage == 'FILE':
certfile, keyfile = certpath certfile, keyfile = certpath
# This is a workaround for certmonger having different Subject
# representation with NSS and OpenSSL
# https://pagure.io/certmonger/issue/62
subject = str(DN(*reversed(DN(subject))))
else: else:
certfile = certpath certfile = certpath
keyfile = certpath keyfile = certpath