[Pki-devel] question on subject patterns

John Dennis jdennis at redhat.com
Wed Apr 4 14:44:11 UTC 2012 

On 04/04/2012 08:51 AM, Rob Crittenden wrote:
> In IPA we use a profile that automatically issues server certificates.
> It uses a pattern to pluck the hostname out of the CSR and sticks that
> into a user-configurable subject template.
>
> The pattern is
>
> policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
>
> The template by default looks like
>
> policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> OU=pki-ipa, O=IPA
>
> We discovered that if CN is an RDN in the subject template then
> certificates get the wrong subject.
>
> For example, if we use CN=Test then the issued subject ends up being
> CN=Test, CN=Test.
>
> If we use CN=Test, CN=Coyote, O=Acme the issued subject is
> CN=Coyote,CN=Test,CN=Coyote,O=Acme
>
> We are creating the CSR with:
>
> /usr/bin/certutil -d /etc/httpd/alias -R -s
> CN=pinto.example.com,OU=Test,CN=Coyote,O=Acme -o
> /var/lib/ipa/ipa-iem5hd/tmpcertreq -k rsa -g 2048 -z
> /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt -a
>
> So my questions are:
>
> 1. Do we just need to tweak the pattern?
> 2. Do I need to ban CN as an element of subjects? If it exists anywhere
> in the subject template it messes up the replacemnt.

The regexp is not doing what you expect, or so I believe (I have not 
researched the regexp parser being used but I suspect it follows PCRE 
rules, i.e. Perl Regexp's).

Your pattern of CN=[^,]+,.+

Is going to require there be at least two RDN's of which the first one 
has CN as it's type. It will then return that first RDN with CN as it's 
type and every RDN which follows it. Here's why, the first part of the 
regexp will match CN=xxx where xxx is anything not containing a comma, 
then it must be followed by a comma, and then it matches the entire rest 
of the string. Is that what you want? I suspect not.

Are you just looking for the first RDN with CN as it's type? If so drop 
the ,.+ from the above regexp.

FWIW, regexps are not a robust way to parse DN's, they don't handle 
escaped characters, multi-valued RDN's etc. But for the above case a 
regexp is probably OK, I don't think you'll run afoul of those problems 
in this simple scenario.


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Pki-devel mailing list