-- John Dennis <jden...@redhat.com>
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
>From 32cf59ac8963982d2de59562f3f1570e67e92a3e Mon Sep 17 00:00:00 2001 From: John Dennis <jden...@redhat.com> Date: Wed, 15 Aug 2012 21:33:15 -0400 Subject: [PATCH 77] Ticket #2584 - Installation fails when CN is set in certificate subject base Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit It is illegal to have more than one CN attribute in a certificate subject. The subject command line arg is actually inserting a dn between a leading RDN with a CN attribute and a suffix. The final subject must have only CN attribute therefore the subject command line arg must not contain CN. The patch modifies the subject validation to prohibit CN. It also improves the error messages to clearly indicate which command line parameter caused the failure and why. While fixing the above it discovered the logic used for subject validation with an external CA was flawed. DN objects were not being used when they should be (certificate subject and issuer fields are dn syntax). That code was also fixed so that the comparisions between subjects and issuers were performed with DN objects. While fixing this it was noted the object type relationship between IPA DN objects and x509 DN objects was awkward, ticket 3003 was opened to address this. --- install/tools/ipa-server-install | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index d9682bb..16a9e33 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -70,7 +70,7 @@ pw_name = None uninstalling = False installation_cleanup = True -VALID_SUBJECT_ATTRS = ['cn', 'st', 'o', 'ou', 'dnqualifier', 'c', +VALID_SUBJECT_ATTRS = ['st', 'o', 'ou', 'dnqualifier', 'c', 'serialnumber', 'l', 'title', 'sn', 'givenname', 'initials', 'generationqualifier', 'dc', 'mail', 'uid', 'postaladdress', 'postalcode', 'postofficebox', @@ -82,7 +82,6 @@ def subject_callback(option, opt_str, value, parser): """ Make sure the certificate subject base is a valid DN """ - name = opt_str.replace('--','') v = unicode(value, 'utf-8') if any(ord(c) < 0x20 for c in v): raise OptionValueError("Subject base must not contain control characters") @@ -92,10 +91,10 @@ def subject_callback(option, opt_str, value, parser): dn = DN(v) for rdn in dn: if rdn.attr.lower() not in VALID_SUBJECT_ATTRS: - raise OptionValueError('invalid attribute: %s' % rdn.attr) + raise OptionValueError('%s=%s has invalid attribute: "%s"' % (opt_str, value, rdn.attr)) except ValueError, e: - raise OptionValueError('Invalid subject base format: %s' % str(e)) - parser.values.subject = str(dn) # may as well normalize it + raise OptionValueError('%s=%s has invalid subject base format: %s' % (opt_str, value, e)) + parser.values.subject = dn def validate_dm_password(password): if len(password) < 8: @@ -638,9 +637,9 @@ def main(): print "'%s' is not a valid PEM-encoded certificate." % options.external_cert_file sys.exit(1) - certsubject = unicode(extcert.subject) - wantsubject = unicode(DN(('CN','Certificate Authority'), options.subject)) - if certsubject.lower() != wantsubject.lower(): + certsubject = DN(str(extcert.subject)) + wantsubject = DN(('CN','Certificate Authority'), options.subject) + if certsubject != wantsubject: print "Subject of the PKCS#10 certificate is not correct (got %s, expected %s)." % (certsubject, wantsubject) sys.exit(1) @@ -653,19 +652,19 @@ def main(): print "'%s' is not a valid PEM-encoded certificate chain." % options.external_ca_file sys.exit(1) - certdict = dict((unicode(cert.subject).lower(), cert) for cert in extchain) - certissuer = unicode(extcert.issuer) - if certissuer.lower() not in certdict: + certdict = dict((DN(str(cert.subject)), cert) for cert in extchain) + certissuer = DN(str(extcert.issuer)) + if certissuer not in certdict: print "The PKCS#10 certificate is not signed by the external CA (unknown issuer %s)." % certissuer sys.exit(1) cert = extcert while cert.issuer != cert.subject: - certissuer = unicode(cert.issuer) - if certissuer.lower() not in certdict: + certissuer = DN(str(cert.issuer)) + if certissuer not in certdict: print "The external CA chain is incomplete (%s is missing from the chain)." % certissuer sys.exit(1) - cert = certdict[certissuer.lower()] + cert = certdict[certissuer] print "==============================================================================" print "This program will set up the FreeIPA Server." -- 1.7.11.2
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel