HI Oliver, Thanks for taking the time to answer this ! My goal is to enable a self-service certificate generation that would allow users to generate certificates for their own username only, without requiring approval. It all goes away if they can generate it for arbitrary CN š
Just two questions really, 1 - you say āwrite your own workflow logicā would that mean creating a workflow as in āworkflow/def/certificate_signing_request_v2.yamlā ? Or something deeper in the code ? If so, would you have access to any form of documentation that would go a bit further that the one online ? (This would save me a LOT of timeā¦..) 2 ā what would be the way to ācallā session information ? And how would I be able to debug this if I need to ? Thanks again for the effort and managing all this ! Cheers, Florian Cramoisan PoC Engineer - WW | HPE Aruba Global Solutions | PoC ACEX #102 ā ACMX#831 | ACCX#1261 | ACDX#1282 | ACSX#1475 Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16 Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France [Image result for aruba logo] This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the Hewlett Packard Enterprise company, you should consider the contents āCONFIDENTIALā. From: Oliver Welter <[email protected]> Sent: Friday, November 24, 2023 07:56 To: [email protected] Subject: Re: [OpenXPKI-users] Using Auth Info in certificate request Hi Florian, the subject templates receive only the content of the cert_subject_parts hash from the workflow, which is created from the input fields in the profile. The likely easiest way is to create a profile field, use the "preset" property to fill it with the session information and set "type: static" which makes it non-editable on the UI. CAVEAT: This is an UI feature and I am not a 100% sure that there is no way to trick the UI to accept other values as this was not designed to be "secure"! The bulletproof solution is writing your own workflow logic to force the session data to be in this hash instead of using the "edit_subject" forms magic. HTH Oliver On 22.11.23 16:57, Cramoisan, Florian (Aruba PoC) wrote: Hi folks, Iām looking to build a certificate request profile where users can only generate a certificate for themselves. In order to do that I was thinking of adapting the existing user_cert and make it so that the cn is equal to the username used during authentication (basic auth). Therefore the idea would be to 1 ā if using CSR, use only the key in csr and ignore everything else 2 ā if using the form, then do not ask for anything, use the āusernameā for the subject #1 - These various user information are accessible from apache HTTP env as well as from openxpki environment as well ā however I cannot find a way to access them Stack.yaml BasicAuth: handler: ExternalAuth type: client param: envkeys: username: OIDC_CLAIM_unique_name email: OIDC_CLAIM_unique_name role: OPENXPKI_SSO_ROLE firstname: OIDC_CLAIM_given_name lastname: OIDC_CLAIM_family_name nickname: OIDC_CLAIM_name user_cert.yaml label: Lab User Certificate validity: #-15min --> 1year - format +YYMMDDhhmmss notafter: +01 notbefore: -000000001500 style: 00_user_basic_style: label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC ui: info: - comment subject: dn: "[% userinfo.email %], OU=Test" san: otherName: "1.3.6.1.4.1.311.20.2.3;UTF8:[% userinfo.email.lower %]" Unfortunately this gives me an empty CN. I couldnāt find anything documented for this, any idea how I can proceed ? Thanks, Florian Cramoisan PoC Engineer - WW | HPE Aruba Global Solutions | PoC ACEX #102 ā ACMX#831 | ACCX#1261 | ACDX#1282 | ACSX#1475 Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16 Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France [Image result for aruba logo] This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the Hewlett Packard Enterprise company, you should consider the contents āCONFIDENTIALā. _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users<https://lists.sourceforge.net/lists/listinfo/openxpki-users> -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
