diff options
| author | Stanislav Laznicka <slaznick@redhat.com> | 2017-01-27 08:58:00 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2017-03-01 09:43:41 +0000 |
| commit | 595f9b64e31dc9e4f035119e834db7e6cb152dce (patch) | |
| tree | f643e390ab2fd297588ecd62eb1bef75177ecef3 | |
| parent | 76e8d7b35d110e5cf5494898950ab3607799c031 (diff) | |
| download | freeipa-595f9b64e31dc9e4f035119e834db7e6cb152dce.tar.gz freeipa-595f9b64e31dc9e4f035119e834db7e6cb152dce.tar.xz freeipa-595f9b64e31dc9e4f035119e834db7e6cb152dce.zip | |
Workaround for certmonger's "Subject" representations
If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.
The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
| -rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 12 | ||||
| -rw-r--r-- | ipalib/install/certmonger.py | 5 |
2 files changed, 16 insertions, 1 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 750893dac..2e67c7e5a 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -35,6 +35,9 @@ import base64 import contextlib import json +from cryptography import x509 as crypto_x509 +from cryptography.hazmat.backends import default_backend + import six from ipapython import ipautil @@ -64,8 +67,15 @@ if six.PY3: IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' + def get_nickname(): - subject = os.environ.get('CERTMONGER_REQ_SUBJECT') + # we need to get the subject from a CSR in case we are requesting + # an OpenSSL certificate for which we have to reverse the order of its DN + # components thus changing the CERTMONGER_REQ_SUBJECT + # https://pagure.io/certmonger/issue/62 + csr = os.environ.get('CERTMONGER_CSR') + csr_obj = crypto_x509.load_pem_x509_csr(csr, default_backend()) + subject = csr_obj.subject if not subject: return None diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 951ca9ab8..812fa0455 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -32,6 +32,7 @@ import subprocess import tempfile from ipalib import api from ipapython.ipa_log_manager import root_logger +from ipapython.dn import DN from ipaplatform.paths import paths from ipaplatform import services @@ -329,6 +330,10 @@ def request_cert( """ if storage == 'FILE': certfile, keyfile = certpath + # This is a workaround for certmonger having different Subject + # representation with NSS and OpenSSL + # https://pagure.io/certmonger/issue/62 + subject = str(DN(*reversed(DN(subject)))) else: certfile = certpath keyfile = certpath |