[Freeipa-devel] [PATCH] 823 validate certificate subject base

Rob Crittenden rcritten at redhat.com
Mon Jul 18 17:10:46 UTC 2011 

Martin Kosek wrote:
> On Mon, 2011-07-18 at 12:08 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Thu, 2011-07-07 at 12:02 -0400, Rob Crittenden wrote:
>>>> Use John's new DN class to verify that the subject base passed into
>>>> ipa-server-install is valid.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/1176
>>>>
>>>> rob
>>>
>>> Works fine for basic errors. But what if the DN is syntactically valid,
>>> but it makes no sense for CA? For example:
>>>
>>> # ipa-server-install --subject="FOO=BAR"
>>> ...
>>> Configuring certificate server: Estimated time 6 minutes
>>>     [1/16]: creating certificate server user
>>>     [2/16]: creating pki-ca instance
>>>     [3/16]: restarting certificate server
>>>     [4/16]: configuring certificate server instance
>>> root        : CRITICAL failed to configure ca instance Command
>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>>> vm-099.idm.lab.bos.redhat.com -cs_port 9445
>>> -client_certdb_dir /tmp/tmp-VQeqTM -client_certdb_pwd 'XXXXXXXX'
>>> -preop_pin p8NYnreBzTcV8Oq13vCu -domain_name IPA -admin_user admin
>>> -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name
>>> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>>> -agent_cert_subject "CN=ipa-ca-agent,FOO=BAR" -ldap_host
>>> vm-099.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn "cn=Directory
>>> Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca
>>> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
>>> -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal
>>> -ca_subsystem_cert_subject_name "CN=CA Subsystem,FOO=BAR"
>>> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,FOO=BAR"
>>> -ca_server_cert_subject_name "CN=vm-099.idm.lab.bos.redhat.com,FOO=BAR"
>>> -ca_audit_signing_cert_subject_name "CN=CA Audit,FOO=BAR"
>>> -ca_sign_cert_subject_name "CN=Certificate Authority,FOO=BAR" -external
>>> false -clone false' returned non-zero exit status 255
>>> Unexpected error - see ipaserver-install.log for details:
>>>    Configuration of CA failed
>>>
>>>
>>> Could we cover also these cases in the callback?
>>>
>>> Martin
>>>
>>
>> Added list of allowed attributes.
>>
>> rob
>
> ACK, works fine. I would just recommend to split the line with
> VALID_SUBJECT_ATTRS before pushing, it's quite long.
>
> Martin
>

Fixed and pushed to master and ipa-2-0

More information about the Freeipa-devel mailing list