[Freeipa-devel] [PATCH] 823 validate certificate subject base

Martin Kosek mkosek at redhat.com
Mon Jul 18 16:31:26 UTC 2011 

On Mon, 2011-07-18 at 12:08 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote:
> >> Use John's new DN class to verify that the subject base passed into
> >> ipa-server-install is valid.
> >>
> >> https://fedorahosted.org/freeipa/ticket/1176
> >>
> >> rob
> >
> > Works fine for basic errors. But what if the DN is syntactically valid,
> > but it makes no sense for CA? For example:
> >
> > # ipa-server-install --subject="FOO=BAR"
> > ...
> > Configuring certificate server: Estimated time 6 minutes
> >    [1/16]: creating certificate server user
> >    [2/16]: creating pki-ca instance
> >    [3/16]: restarting certificate server
> >    [4/16]: configuring certificate server instance
> > root        : CRITICAL failed to configure ca instance Command
> > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> > vm-099.idm.lab.bos.redhat.com -cs_port 9445
> > -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd 'XXXXXXXX'
> > -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin
> > -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name
> > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> > -agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host
> > vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory
> > Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca
> > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
> > -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal
> > -ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR"
> > -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR"
> > -ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR"
> > -ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR"
> > -ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external
> > false -clone false' returned non-zero exit status 255
> > Unexpected error - see ipaserver-install.log for details:
> >   Configuration of CA failed
> >
> >
> > Could we cover also these cases in the callback?
> >
> > Martin
> >
> 
> Added list of allowed attributes.
> 
> rob

ACK, works fine. I would just recommend to split the line with
VALID_SUBJECT_ATTRS before pushing, it's quite long.

Martin

More information about the Freeipa-devel mailing list