[Pki-users] Does AuthTokenSubjectNameDefault plugin derive SubjectName incorrectly?

Aleksander Adamowski aleksander.adamowski.dogtag at altkom.pl
Thu May 22 14:14:22 UTC 2008 

Hi!

I've noticed that with out LDAP directory, using the caDirUserCert 
profile, we get incorrect SubjectNames - they aren't populated with 
requesting users' commonName (cn) or e-mail (LDAP "mail" -> x.509 "E").

After closer inspection and brief analysis of Dogtag Certificate 
System's source code I've identified that the 
authTokenSubjectNameDefaultImpl plugin is responsible for this task and 
its implementation is in the AuthTokenSubjectNameDefault class 
(https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java).

The problem seems to be in this code fragment (line 134):

X500Name name = new X500Name(
  request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));

The plug-in uses the $request.authenticatedname$ value from the request, 
which contains the authenticated user's DN. If the DN doesn't contain 
the cn and mail attribute, those attributed won't be propagated to 
resulting certificate's subject name.

I think this plugin should use the $request.auth_token.tokencertsubject$ 
value.
After all, the UidPwdDiraAuth plugin's documentation 
(http://www.redhat.com/docs/manuals/cert-system/pdf/cms601plugin.pdf) 
implies that this value will be used to formulate the certificate's 
subject name:

"dnpattern:     Specifies a string representing a subject name pattern 
to formulate from the
directory attributes and entry DN."

So the code should probably be change to something like this:

Index: src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
===================================================================
--- src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java   
(revision 47)
+++ src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java   
(working copy)
@@ -131,7 +131,7 @@
         // to the certinfo
         try {
             X500Name name = new X500Name(
-                    
request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
+                    
request.getExtDataInAuthToken(AuthToken.TOKEN_CERT_SUBJECT));
 
             info.set(X509CertInfo.SUBJECT, new 
CertificateSubjectName(name));
         } catch (Exception e) {


(note: I didn't test whether it works, I'd have to check out the whole 
 >130MB SVN repository and set up the complex Dogtag build 
infrastructure for this...)

What you think?

-- 
Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575 
	http://olo.org.pl

More information about the Pki-users mailing list