From mharmsen at redhat.com Wed Feb 24 17:06:43 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 24 Feb 2016 10:06:43 -0700 Subject: [Pki-users] PKI TRAC Ticket access disabled due to excessive spamming Message-ID: <56CDE323.7090202@redhat.com> This is to advise users of the PKI TRAC system, that until the following ticket is resolved: * Fedora Infrastructure TRAC Ticket #1521 - https://fedorahosted.org NEEDS_TRIAGE is being SPAMMED access to the create/update PKI TRAC tickets and wiki pages has been restricted. We apologize in advance for any problems this causes. Until this issue is resolved, please utilize the pki-users at redhat.com, pki-devel at redhat.com, and #dogtag-pki FreeNode IRC channel to request PKI TRAC Tickts. Thanks, -- The Dogtag Team -------------- next part -------------- An HTML attachment was scrubbed... URL: From Florian.Supper at s-itsolutions.at Thu Feb 25 08:25:54 2016 From: Florian.Supper at s-itsolutions.at (Supper Florian OSS sIT) Date: Thu, 25 Feb 2016 08:25:54 +0000 Subject: [Pki-users] Rewrite of Subject in profile Message-ID: Hi and good morning. I get some request from mobile devices which are very poor. Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00 With this subject name, it is not possible to enroll a certificate, because of the " \x00" at the end.. So i'm compelled to rewrite the Subject name. In the first way I only want to remove the "\x00" characters from CN. I've tried some pattern and configs, but it doesn't work. Does one of you knows how this could work? policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint policyset.cmcUserCertSet.1.constraint.params.accept=true policyset.cmcUserCertSet.1.constraint.params.pattern=.* policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl policyset.cmcUserCertSet.1.default.name=Subject Name Default policyset.cmcUserCertSet.1.default.params.name=.*CN=................................... In the second way, i want to set the whole subject like this below. But I want to use the CN which comes in the csr. Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, CN=mycn.example.com /emailAddress=pki-AT-example.com Thanks for your help. BR Florian -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Thu Feb 25 19:23:48 2016 From: msauton at redhat.com (Marc Sauton) Date: Thu, 25 Feb 2016 11:23:48 -0800 Subject: [Pki-users] Rewrite of Subject in profile In-Reply-To: References: Message-ID: <56CF54C4.3000001@redhat.com> Hello, With the Subject Name Constraint you can tweak the components to build the subject DN, and do some pattern matching to select them to re-write the subject DN, but you cannot really modify parts of the values of those components. I don't think you can match and accept a string with \x00 and then selectively remove the \x00 or any specific string, once it is matched, it is accepted, it is flexible but "basic". The design of the name constraint was for matching string on components, so that would be a request for enhancement for more regexp support. Ideally the client should be fixed to do the right thing. But if not possible, one solution may be to take the existing SubjectNameConstraint plug-in and use it as a base to write a custom one, from: base/server/cms/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java Should Dogtag have another name constraint plug-in to validate the inputs to not accept \x00 or strip some strings before reaching the NameConstraintsExt, plug-in? Thanks, M. On 02/25/2016 12:25 AM, Supper Florian OSS sIT wrote: > > Hi and good morning. > > I get some request from mobile devices which are very poor. > > Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00 > > With this subject name, it is not possible to enroll a certificate, > because of the ? \x00? at the end.. > > So i?m compelled to rewrite the Subject name. In the first way I only > want to remove the ?\x00? characters from CN. > > I?ve tried some pattern and configs, but it doesn?t work. > > Does one of you knows how this could work? > > policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl > > policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint > > policyset.cmcUserCertSet.1.constraint.params.accept=true > > policyset.cmcUserCertSet.1.constraint.params.pattern=.* > > policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl > > policyset.cmcUserCertSet.1.default.name=Subject Name Default > > policyset.cmcUserCertSet.1.default.params.name=.*CN=???????????.. > > In the second way, i want to set the whole subject like this below. > But I want to use the CN which comes in the csr. > > Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, > CN=mycn.example.com /emailAddress=pki-AT-example.com > > Thanks for your help. > > BR > > Florian > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: