From 595f9b64e31dc9e4f035119e834db7e6cb152dce Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Fri, 27 Jan 2017 08:58:00 +0100
Subject: Workaround for certmonger's "Subject" representations

If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.

The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 install/certmonger/dogtag-ipa-ca-renew-agent-submit | 12 +++++++++++-
 ipalib/install/certmonger.py                        |  5 +++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 750893dac..2e67c7e5a 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -35,6 +35,9 @@ import base64
 import contextlib
 import json
 
+from cryptography import x509 as crypto_x509
+from cryptography.hazmat.backends import default_backend
+
 import six
 
 from ipapython import ipautil
@@ -64,8 +67,15 @@ if six.PY3:
 
 IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
 
+
 def get_nickname():
-    subject = os.environ.get('CERTMONGER_REQ_SUBJECT')
+    # we need to get the subject from a CSR in case we are requesting
+    # an OpenSSL certificate for which we have to reverse the order of its DN
+    # components thus changing the CERTMONGER_REQ_SUBJECT
+    # https://pagure.io/certmonger/issue/62
+    csr = os.environ.get('CERTMONGER_CSR')
+    csr_obj = crypto_x509.load_pem_x509_csr(csr, default_backend())
+    subject = csr_obj.subject
     if not subject:
         return None
 
diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
index 951ca9ab8..812fa0455 100644
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -32,6 +32,7 @@ import subprocess
 import tempfile
 from ipalib import api
 from ipapython.ipa_log_manager import root_logger
+from ipapython.dn import DN
 from ipaplatform.paths import paths
 from ipaplatform import services
 
@@ -329,6 +330,10 @@ def request_cert(
     """
     if storage == 'FILE':
         certfile, keyfile = certpath
+        # This is a workaround for certmonger having different Subject
+        # representation with NSS and OpenSSL
+        # https://pagure.io/certmonger/issue/62
+        subject = str(DN(*reversed(DN(subject))))
     else:
         certfile = certpath
         keyfile = certpath
-- 
cgit