diff options
author | Stanislav Laznicka <slaznick@redhat.com> | 2017-01-27 08:58:00 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-03-01 09:43:41 +0000 |
commit | 595f9b64e31dc9e4f035119e834db7e6cb152dce (patch) | |
tree | f643e390ab2fd297588ecd62eb1bef75177ecef3 /install/certmonger | |
parent | 76e8d7b35d110e5cf5494898950ab3607799c031 (diff) | |
download | freeipa-595f9b64e31dc9e4f035119e834db7e6cb152dce.tar.gz freeipa-595f9b64e31dc9e4f035119e834db7e6cb152dce.tar.xz freeipa-595f9b64e31dc9e4f035119e834db7e6cb152dce.zip |
Workaround for certmonger's "Subject" representations
If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.
The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install/certmonger')
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 750893dac..2e67c7e5a 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -35,6 +35,9 @@ import base64 import contextlib import json +from cryptography import x509 as crypto_x509 +from cryptography.hazmat.backends import default_backend + import six from ipapython import ipautil @@ -64,8 +67,15 @@ if six.PY3: IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' + def get_nickname(): - subject = os.environ.get('CERTMONGER_REQ_SUBJECT') + # we need to get the subject from a CSR in case we are requesting + # an OpenSSL certificate for which we have to reverse the order of its DN + # components thus changing the CERTMONGER_REQ_SUBJECT + # https://pagure.io/certmonger/issue/62 + csr = os.environ.get('CERTMONGER_CSR') + csr_obj = crypto_x509.load_pem_x509_csr(csr, default_backend()) + subject = csr_obj.subject if not subject: return None |