Fix uses of O=REALM instead of the configured certificate subject base.

ticket 2521

6 files changed, 32 insertions, 13 deletions

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 04e1b947..1274673c 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -42,15 +42,29 @@ from ipalib import api
 from ipalib import _
 from ipalib import util
 from ipalib import errors
+from ipalib.dn import DN
 
 PEM = 0
 DER = 1
 
 PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL)
 
-def valid_issuer(issuer, realm):
-    return issuer in ('CN=%s Certificate Authority' % realm,
-                      'CN=Certificate Authority,O=%s' % realm,)
+_subject_base = None
+
+def subject_base():
+    global _subject_base
+
+    if _subject_base is None:
+        config = api.Command['config_show']()['result']
+        _subject_base = DN(config['ipacertificatesubjectbase'][0])
+
+    return _subject_base
+
+def valid_issuer(issuer):
+    if api.env.ra_plugin == 'dogtag':
+        return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base())
+    else:
+        return DN(issuer) == DN(('CN', '%s Certificate Authority' % api.env.realm))
 
 def strip_header(pem):
     """
@@ -209,7 +223,7 @@ def verify_cert_subject(ldap, hostname, dercert):
     issuer = str(nsscert.issuer)
 
     # Handle both supported forms of issuer, from selfsign and dogtag.
-    if (not valid_issuer(issuer, api.env.realm)):
+    if (not valid_issuer(issuer)):
         raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
         {'issuer' : issuer})
 
diff --git a/make-testcert b/make-testcert
index 8a90de1e..f5a2fa77 100755
--- a/make-testcert
+++ b/make-testcert
@@ -97,8 +97,11 @@ def makecert(reqdir):
     # Generate NSS cert database to store the private key for our CSR
     run_certutil(reqdir, ["-N", "-f", pwname])
 
+    res = api.Backend.client.run('config_show')
+    subject_base = res['result']['ipacertificatesubjectbase'][0]
+
     cert = None
-    subject = 'CN=%s,O=%s' % (api.env.host, api.env.realm)
+    subject = 'CN=%s,%s' % (api.env.host, subject_base)
     princ = 'unittest/%s@%s' % (api.env.host, api.env.realm)
     csr = unicode(generateCSR(reqdir, pwname, subject))
 
diff --git a/tests/test_xmlrpc/test_cert.py b/tests/test_xmlrpc/test_cert.py
index 253373a2..90809ab3 100644
--- a/tests/test_xmlrpc/test_cert.py
+++ b/tests/test_xmlrpc/test_cert.py
@@ -28,6 +28,7 @@ from nose.tools import assert_raises  # pylint: disable=E0611
 from xmlrpc_test import XMLRPC_test, assert_attr_equal
 from ipalib import api
 from ipalib import errors
+from ipalib import x509
 import tempfile
 from ipapython import ipautil
 import nose
@@ -74,6 +75,8 @@ class test_cert(XMLRPC_test):
         # Create our temporary NSS database
         self.run_certutil(["-N", "-f", self.pwname])
 
+        self.subject = DN(('CN', self.host_fqdn), x509.subject_base())
+
     def tearDown(self):
         super(test_cert, self).tearDown()
         shutil.rmtree(self.reqdir, ignore_errors=True)
@@ -95,7 +98,6 @@ class test_cert(XMLRPC_test):
     """
     host_fqdn = u'ipatestcert.%s' % api.env.domain
     service_princ = u'test/%s@%s' % (host_fqdn, api.env.realm)
-    subject = DN(('CN',host_fqdn),('O',api.env.realm))
 
     def test_1_cert_add(self):
         """
diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py
index 2ef99c4a..4ed4c17a 100644
--- a/tests/test_xmlrpc/test_host_plugin.py
+++ b/tests/test_xmlrpc/test_host_plugin.py
@@ -252,7 +252,7 @@ class test_host(Declarative):
                     valid_not_before=fuzzy_date,
                     valid_not_after=fuzzy_date,
                     subject=lambda x: DN(x) == \
-                        DN(('CN',api.env.host),('O',api.env.realm)),
+                        DN(('CN',api.env.host),x509.subject_base()),
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     md5_fingerprint=fuzzy_hash,
@@ -284,7 +284,7 @@ class test_host(Declarative):
                     valid_not_before=fuzzy_date,
                     valid_not_after=fuzzy_date,
                     subject=lambda x: DN(x) == \
-                        DN(('CN',api.env.host),('O',api.env.realm)),
+                        DN(('CN',api.env.host),x509.subject_base()),
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     md5_fingerprint=fuzzy_hash,
@@ -483,7 +483,7 @@ class test_host(Declarative):
                     valid_not_before=fuzzy_date,
                     valid_not_after=fuzzy_date,
                     subject=lambda x: DN(x) == \
-                        DN(('CN',api.env.host),('O',api.env.realm)),
+                        DN(('CN',api.env.host),x509.subject_base()),
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     md5_fingerprint=fuzzy_hash,
@@ -513,7 +513,7 @@ class test_host(Declarative):
                     valid_not_before=fuzzy_date,
                     valid_not_after=fuzzy_date,
                     subject=lambda x: DN(x) == \
-                        DN(('CN',api.env.host),('O',api.env.realm)),
+                        DN(('CN',api.env.host),x509.subject_base()),
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     md5_fingerprint=fuzzy_hash,
diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py
index 2e51b2cc..1c3a83a1 100644
--- a/tests/test_xmlrpc/test_service_plugin.py
+++ b/tests/test_xmlrpc/test_service_plugin.py
@@ -379,7 +379,7 @@ class test_service(Declarative):
                     valid_not_before=fuzzy_date,
                     valid_not_after=fuzzy_date,
                     subject=lambda x: DN(x) == \
-                        DN(('CN',api.env.host),('O',api.env.realm)),
+                        DN(('CN',api.env.host),x509.subject_base()),
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     md5_fingerprint=fuzzy_hash,
@@ -407,7 +407,7 @@ class test_service(Declarative):
                     valid_not_before=fuzzy_date,
                     valid_not_after=fuzzy_date,
                     subject=lambda x: DN(x) == \
-                        DN(('CN',api.env.host),('O',api.env.realm)),
+                        DN(('CN',api.env.host),x509.subject_base()),
                     serial_number=fuzzy_digits,
                     serial_number_hex=fuzzy_hex,
                     md5_fingerprint=fuzzy_hash,
diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py
index 716ce03a..a7cfb11b 100644
--- a/tests/test_xmlrpc/xmlrpc_test.py
+++ b/tests/test_xmlrpc/xmlrpc_test.py
@@ -51,7 +51,7 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=basestring)
 # Matches a date, like Tue Apr 26 17:45:35 2016 UTC
 fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$')
 
-fuzzy_issuer = Fuzzy(type=basestring, test=lambda issuer: valid_issuer(issuer, api.env.realm))
+fuzzy_issuer = Fuzzy(type=basestring, test=lambda issuer: valid_issuer(issuer))
 
 fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=basestring)