[Pki-users] Rewrite of Subject in profile

Marc Sauton msauton at redhat.com
Thu Feb 25 19:23:48 UTC 2016 

Hello,
With the Subject Name Constraint you can tweak the components to build 
the subject DN, and do some pattern matching to select them to re-write 
the subject DN, but you cannot really modify parts of the values of 
those components.
I don't think you can match and accept a string with \x00 and then 
selectively remove the \x00 or any specific string, once it is matched, 
it is accepted, it is flexible but "basic".
The design of the name constraint was for matching string on components, 
so that would be a request for enhancement for more regexp support.
Ideally the client should be fixed to do the right thing.
But if not possible, one solution may be to take the existing 
SubjectNameConstraint plug-in and use it as a base to write a custom 
one, from:
base/server/cms/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java
Should Dogtag have another name constraint plug-in to validate the 
inputs to not accept \x00 or strip some strings before reaching the 
NameConstraintsExt, plug-in?
Thanks,
M.

On 02/25/2016 12:25 AM, Supper Florian OSS sIT wrote:
>
> Hi and good morning.
>
> I get some request from mobile devices which are very poor.
>
> Subject: CN=B1C43CD0-1624-5FBB-8E54-34FG17DFD3A1\x00
>
> With this subject name, it is not possible to enroll a certificate, 
> because of the “ \x00” at the end..
>
> So i’m  compelled to rewrite the Subject name. In the first way I only 
> want to remove the “\x00” characters from CN.
>
> I’ve tried some pattern and configs, but it doesn’t work.
>
> Does one of you knows how this could work?
>
> policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
>
> policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
>
> policyset.cmcUserCertSet.1.constraint.params.accept=true
>
> policyset.cmcUserCertSet.1.constraint.params.pattern=.*
>
> policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
>
> policyset.cmcUserCertSet.1.default.name=Subject Name Default
>
> policyset.cmcUserCertSet.1.default.params.name=.*CN=……………………………..
>
> In the second way, i want to set the whole subject like this below. 
> But I want to use the CN which comes in the csr.
>
> Subject: C=AT, ST=Vienna, L=Vienna, O=My Company GmbH, OU=MYORGUNIT, 
> CN=mycn.example.com /emailAddress=pki-AT-example.com
>
> Thanks for your help.
>
> BR
>
> Florian
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160225/9f05ecd1/attachment.htm>

More information about the Pki-users mailing list