[Pki-users] SubjectAltNameExt limited to 4 SANS?

Fraser Tweedale ftweedal at redhat.com
Tue Mar 14 23:37:52 UTC 2017 

On Tue, Mar 14, 2017 at 05:31:39PM -0400, George Wash wrote:
> Using CS 9.1
> I'm sending SAN nametypes and values in my HTTP requests to the CA inspired
> by Section A.1.14 below
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Administration_Guide/CertProfileReference.html
> 
> In general this is working, but I seem to be limited to 4 SANs maximum. The
> CA seems to only process $request_req_san_pattern_<0-3>$
> 
> Here's my setup and some logs
> 
> 
> #### SAN Profile Configuration - 10 SANs ####
> ...
> policyset.MySet.SAN.constraint.class_id=noConstraintImpl
> policyset.MySet.SAN.constraint.name=No Constraint
> policyset.MySet.SAN.default.class_id=subjectAltNameExtDefaultImpl
> policyset.MySet.SAN.default.name=Subject Alt Name Extension Default
> policyset.MySet.SAN.default.params.subjAltNameExtCritical=false
> policyset.MySet.SAN.default.params.subjAltNameNumGNs=10
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_0=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
> policyset.MySet.SAN.default.params.subjAltExtType_0=$request.req_san_type_0$
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_1=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
> policyset.MySet.SAN.default.params.subjAltExtType_1=$request.req_san_type_1$
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_2=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
> policyset.MySet.SAN.default.params.subjAltExtType_2=$request.req_san_type_2$
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_3=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$
> policyset.MySet.SAN.default.params.subjAltExtType_3=$request.req_san_type_3$
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_4=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$
> policyset.MySet.SAN.default.params.subjAltExtType_4=$request.req_san_type_4$
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_5=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_5=$request.req_san_pattern_5$
> policyset.MySet.SAN.default.params.subjAltExtType_5=$request.req_san_type_5$
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_6=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_6=$request.req_san_pattern_6$
> policyset.MySet.SAN.default.params.subjAltExtType_6=$request.req_san_type_6$
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_7=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_7=$request.req_san_pattern_7$
> policyset.MySet.SAN.default.params.subjAltExtType_7=$request.req_san_type_7$
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_8=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_8=$request.req_san_pattern_8$
> policyset.MySet.SAN.default.params.subjAltExtType_8=$request.req_san_type_8$
> policyset.MySet.SAN.default.params.subjAltExtGNEnable_9=true
> policyset.MySet.SAN.default.params.subjAltExtPattern_9=$request.req_san_pattern_9$
> policyset.MySet.SAN.default.params.subjAltExtType_9=$request.req_san_type_9$
> 
> 
> #### Parsing from HTTP Request - SAN0 to SAN4 are received at the CA from
> client #####
> ...
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_type_0' value='DNSName'
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_pattern_0' value='myserver0.example.com'
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_type_1' value='DNSName'
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_pattern_1' value='myserver1.example.com'
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_type_2' value='DNSName'
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_pattern_2' value='myserver2.example.com'
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_type_3' value='DNSName'
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_pattern_3' value='myserver3.example.com'
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_type_4' value='DNSName'
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CMSServlet.java:430:outputHttpParameters() CMSServlet::service() param
> name='req_san_pattern_4' value='myserver4.example.com'
> 
> 
> ### CAProcessor Has Dropped SAN4 ####
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:261:printParameterValues() CAProcessor: Input Parameters:
> ....
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_0:
> DNSName
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_3:
> DNSName
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_1:
> DNSName
> ...
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:286:printParameterValues() CAProcessor: - req_san_type_2:
> DNSName
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:286:printParameterValues() CAProcessor: -
> req_san_pattern_3: myserver3.example.com
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:286:printParameterValues() CAProcessor: -
> req_san_pattern_1: myserver1.example.com
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:286:printParameterValues() CAProcessor: -
> req_san_pattern_2: myserver2.example.com
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:286:printParameterValues() CAProcessor: -
> req_san_pattern_0: myserver0.example.com
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> CAProcessor.java:286:printParameterValues() CAProcessor: -
> cert_request_type: pkcs10
> ...
> 
> 
> ### SubjectAltNameExtDefault - no SAN4 - gname is empty as indicated
> previously in processing ####
> ...
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> EnrollDefault.java:220:populate() SubjectAltNameExtDefault: populate start
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=0
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_0$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:492:createExtension()
> SubjectAltNameExtDefault: createExtension got gname=myserver0.example.com
> with type=DNSName
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:496:createExtension() adding gname:
> myserver0.example.com
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:498:createExtension()
> SubjectAlternativeNameExtension: n not null
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=1
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_1$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:492:createExtension()
> SubjectAltNameExtDefault: createExtension got gname=myserver1.example.com
> with type=DNSName
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:496:createExtension() adding gname:
> myserver1.example.com
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:498:createExtension()
> SubjectAlternativeNameExtension: n not null
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=2
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_2$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:492:createExtension()
> SubjectAltNameExtDefault: createExtension got gname=myserver2.example.com
> with type=DNSName
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:496:createExtension() adding gname:
> myserver2.example.com
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:498:createExtension()
> SubjectAlternativeNameExtension: n not null
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=3
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_3$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:492:createExtension()
> SubjectAltNameExtDefault: createExtension got gname=myserver3.example.com
> with type=DNSName
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:496:createExtension() adding gname:
> myserver3.example.com
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:498:createExtension()
> SubjectAlternativeNameExtension: n not null
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=4
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_4$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:489:createExtension()
> SubjectAltNameExtDefault: gname is empty,not added.
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=5
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_5$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:489:createExtension()
> SubjectAltNameExtDefault: gname is empty,not added.
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=6
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_6$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:489:createExtension()
> SubjectAltNameExtDefault: gname is empty,not added.
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=7
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_7$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:489:createExtension()
> SubjectAltNameExtDefault: gname is empty,not added.
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=8
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_8$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:489:createExtension()
> SubjectAltNameExtDefault: gname is empty,not added.
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:443:createExtension()
> SubjectAltNameExtDefault: createExtension i=9
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:451:createExtension()
> SubjectAltNameExtDefault: createExtension()
> pattern=$request.req_san_pattern_9$
> [14/Mar/2017:16:49:21][http-bio-8443-exec-1]:
> SubjectAltNameExtDefault.java:489:createExtension()
> SubjectAltNameExtDefault: gname is empty,not added.
> 
> 
> What's interesting is the SubjectAltNameExtDefault can take several extra
> hardcoded nametypes and values from the profile and populate them in the
> enrolled certificate.
> 
> Any thoughts?
> 
> Thanks
> GW
>
Hi George,

Looking at the code, while the SubjectAltNameExtDefault class can
handle up to 100 altnames, the SubjectAltNameExtInput class, which
stores user-submitted altname values into the request context, has a
hardcoded limit of 4.

If your use case requires handling more than 4 explicitly
submitted altnames, please file a ticket at
https://pagure.io/dogtagpki/new_issue.

Thanks,
Fraser

More information about the Pki-users mailing list