Hi,
@Oliver: thank you for the tip. I added the "ui:" section to the profile
sub style "enroll" and now the input fields are displayed.
Trouble now is: The values as parsed from the CSR are only put into the
"DC=" fields, but the other fields (CN, OU, O, L, ST, C, SAN_DNS,
SAN_EMAIL, SAN_URI) are all empty and when I enter those fields manually
the entered values are not processed. The result after editing either
subject or SAN is always
SubjectDN=(CN=,OU=,O=,L=,ST=,C=,DC=scsynergy,DC=com), and the SAN parts
are always empty.
When I add the line "max: 1" to e. g. ../profile/template/st.yaml the
value for ST as parsed from the CSR is then displayed correctly and any
changes to it are processed. But I cannot modify all the field templates
as this would break the rest of the system - and SAN already has the
"max:" property, meaning I would not know how to get san_edit to work.
I assume the different subject DNs are what causes this. When I upload a
csr manually to the openxpki web page "00_basic_style" is used to parse
the CSR and everything works perfectly well, I can edit the subject and
SAN and all changes are processed and put into the resulting certificate
as expected. But when I submit the same CSR via the openxpki SCEP
interface I have to use a different subject DN in order to have the
fields parsed correctly (see below). If I do not edit the subject or
SAN, but simply approve the CSR issued via SCEP the fields are parsed
correctly and the certificate is issued as expected.
What am I doing wrong?
style:
00_basic_style:
label: manual upload
description: manual upload
ui:
subject:
- cn
- ou
- o
- l
- st
- c
- dc
san:
- san_dns
- email
- san_uri
subject:
dn: CN=[% CN %],OU=[% OU %],O=[% O %],L=[% L %],ST=[% ST
%],C=[% C %][% FOREACH entry = DC %],DC=[% entry %][% END %]
san:
email: "[% SAN_EMAIL.0 %]"
dns: "[% FOREACH entry = SAN_DNS %][% entry.lower %] |
[% END %]"
uri: "[% SAN_URI.0 %]"
metadata:
system_id: "[% data.cust_id %]"
server_id: "[% data.server_id %]"
entity: "[% CN.0 FILTER lower %]"
enroll:
label: SCEP
description: SCEP
ui:
subject:
- cn
- ou
- o
- l
- st
- c
- dc
san:
- san_dns
- email
- san_uri
subject:
dn: CN=[% CN.0 %],OU=[% OU.0 %],O=[% O.0 %],L=[% L.0
%],ST=[% ST.0 %],C=[% C.0 %][% FOREACH entry = DC %],DC=[% entry %][% END %]
san:
email: "[% SAN_EMAIL.0 %]"
dns: "[% FOREACH entry = SAN_DNS %][% entry.lower %] |
[% END %]"
uri: "[% SAN_URI.0 %]"
metadata:
system_id: "[% data.cust_id %]"
server_id: "[% data.server_id %]"
entity: "[% CN.0 FILTER lower %]"
Best regards
Ronny
On 1/11/19 7:13 PM, Oliver Welter wrote:
Hi Ronny,
the profiles have so called "sub styles" and the SCEP workflow uses the
"enrollment" style which does not have a UI section - so either change
what profile is used or edit the profile sections. Be warned, the
workflow is not yet prepared for this and there might be some more
problems...
Oliver
Am 11.01.19 um 10:55 schrieb Ronald Feicht:
Hi,
I am trying to add the functionality to edit the subject DN and SAN
information before approving a CSR received through SCEP. So, I
duplicated certificate_enroll.yaml, changed its prefix and added /
extended the following states, actions and fields (taken from
certificate_signing_request_v2) to the workflow:
state:
PENDING:
label: I18N_OPENXPKI_UI_WORKFLOW_STATE_CSR_PENDING_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_STATE_CSR_PENDING_DESC
action:
- edit_subject > UPDATE_REQUEST
- edit_san > UPDATE_REQUEST
- reject_request notify_request_rejected
global_set_error_rejected > FAILURE ? global_is_operator
- approve_csr calculate_approval_points > RECHECK_APPROVAL ?
global_is_operator is_manual_approval_allowed
- global_clear_error_code > START_APPROVAL ?
is_eligibility_recheck_allowed
output:
- error_code
- server
- interface
- cert_subject
- cert_subject_alt_name
- comment
- cert_profile
- request_mode
- is_replace
- is_eligible
- eligibility_result
- transaction_id
- signer_cert_identifier
- signer_revoked
- signer_trusted
- signer_authorized
- signer_validity_ok
- has_valid_challenge_password
- has_valid_hmac
button:
edit_subject:
format: optional
edit_san:
format: optional
approve_csr:
format: expected
global_clear_error_code:
label:
I18N_OPENXPKI_UI_WORKFLOW_BUTTON_ELIGIBILITY_RECHECK_LABEL
format: alternative
reject_request:
format: failure
UPDATE_REQUEST:
autorun: 1
action:
- cancel_approvals render_subject set_workflow_attributes >
RECHECK_APPROVAL
...
action:
edit_subject:
class: OpenXPKI::Server::Workflow::Activity::Tools::SetSource
uihandle: OpenXPKI::Client::UI::Handle::Profile::render_subject_form
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CSR_EDIT_SUBJECT_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CSR_EDIT_SUBJECT_DESC
input:
- cert_subject_parts
param:
source: USER
validator:
- global_cert_subject_parts
- global_common_name_length
edit_san:
class: OpenXPKI::Server::Workflow::Activity::Tools::SetSource
uihandle: OpenXPKI::Client::UI::Handle::Profile::render_subject_form
label: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CSR_EDIT_SAN_LABEL
description: I18N_OPENXPKI_UI_WORKFLOW_ACTION_CSR_EDIT_SAN_DESC
input:
- cert_san_parts
param:
source: USER
validator:
- global_cert_san_parts
render_subject:
class: OpenXPKI::Server::Workflow::Activity::Tools::RenderSubject
param:
_map_cert_profile: $cert_profile
_map_cert_subject_style: "[% IF context.cert_subject_style
%][% context.cert_subject_style %][% ELSE %]enroll[% END %]"
...
field:
cert_subject_parts:
label: I18N_OPENXPKI_UI_WORKFLOW_FIELD_CERT_SUBJECT_PARTS_LABEL
name: cert_subject_parts
description: I18N_OPENXPKI_UI_WORKFLOW_FIELD_CERT_SUBJECT_PARTS_DESC
placeholder:
I18N_OPENXPKI_UI_WORKFLOW_FIELD_CERT_SUBJECT_PARTS_PLACEHOLDER
tooltip: I18N_OPENXPKI_UI_WORKFLOW_FIELD_CERT_SUBJECT_PARTS_TOOLTIP
type: cert_subject
required: 0
cert_san_parts:
label: I18N_OPENXPKI_UI_WORKFLOW_FIELD_CERT_SAN_PARTS_LABEL
name: cert_san_parts
description: I18N_OPENXPKI_UI_WORKFLOW_FIELD_CERT_SAN_PARTS_DESC
placeholder:
I18N_OPENXPKI_UI_WORKFLOW_FIELD_CERT_SAN_PARTS_PLACEHOLDER
tooltip: I18N_OPENXPKI_UI_WORKFLOW_FIELD_CERT_SAN_PARTS_TOOLTIP
type: cert_san
required: 0
...
When a workflow is received through SCEP it pauses in state "PENDING".
The buttons "edit subject" and "edit san" are displayed, yet, when I
press either one a new page is displayed:
Edit Subject / Certificate Enrollment
Edit the items in the main subject of the certification request. The
final subject will be composed from your input based on the selected
profile and the PKIs policy. You can recheck and edit the subject before
final submission.
"continue" "go back" "force failure"
But the input fields and their values are missing. When I press the
"continue" button the error message "One or more subject fields have
errors." is displayed on the top of the page. When I click "go back" the
page returns to the "PENDING" page where I can approve the CSR which is
then issued correctly. So, everything is working correctly except for
the missing input fields for editing the subject or SAN. I assume that
something is missing - maybe in "render_subject" action, but what?
Best regards
Ronny
--
*sc synergy GmbH*
Am Kümmerling 24-26 | 55294 Bodenheim | Deutschland
Fon: +49 6135 71691 - 000 | Fax: +49 6135 71691 - 199
http://www.scsynergy.com | [email protected]
Sitz der Gesellschaft Bodenheim, HRB 8830, Amtsgericht Mainz,
Geschäftsführer: Christian Reichert
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
*sc synergy GmbH*
Am Kümmerling 24-26 | 55294 Bodenheim | Deutschland
Fon: +49 6135 71691 - 000 | Fax: +49 6135 71691 - 199
http://www.scsynergy.com | [email protected]
Sitz der Gesellschaft Bodenheim, HRB 8830, Amtsgericht Mainz,
Geschäftsführer: Christian Reichert
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
