Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

[Fraser Tweedale]

On Wed, Feb 01, 2017 at 05:25:58PM +1000, Fraser Tweedale wrote:
> Hi all,
> 
> The attached patches implement the long-desired feature to copy CN
> to SubjectAltName (https://fedorahosted.org/pki/ticket/1710).
> 
> I've also pushed the branch to my GitHub repo; feel free to review
> the patches there:
> https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san
> 
> Thanks,
> Fraser

ACKed by mharmsen and batkisso.

Pushed to master with following trivial changes:

- fix a missing import in upgrade scriptlet
- break upgrade scriptlet into separate patch, for easy exclusion
  or modification when backporting

* 31dfbb569756e8c28500b597ac4486f780761c4c Add upgrade script to add 
CommonNameToSANDefault plugin
* 9cb00049ec731cca36de822f6c1e834f7febcb4f Add profile component that copies CN 
to SAN dNSName
* 979b6a2da433e97c1ada6434b432aa4aabc47ab5 X500Name: add method to get all 
attributes of a given type
* a67816eebbed2332327fbf391f3e23223ee7690e SubjectAlternativeNameExtension: add 
GeneralNames getter/setter
* 225dd099efa7e2f752c3f50157aaec71a9834873 GeneralName: add method to get at 
inner value
* f371114134ee3b6a83b747eecf46e001080b1e9c DNSName: add method to get value

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

[Fraser Tweedale]

Discussion for devs: once this is merged should I updated all the
included service-oriented profiles (e.g. caCAcert; not user or CA
cert profiles) to add this profile component?

IMO we should do it, but we should not automatically update existing
installations.  Instead, we (I) can produce a KBase article about
using the new component.

Let me know what you think.

Cheers,
Fraser

On Thu, Feb 02, 2017 at 12:46:30PM -0700, Matthew Harmsen wrote:
> On 02/01/2017 12:25 AM, Fraser Tweedale wrote:
> > Hi all,
> > 
> > The attached patches implement the long-desired feature to copy CN
> > to SubjectAltName (https://fedorahosted.org/pki/ticket/1710).
> > 
> > I've also pushed the branch to my GitHub repo; feel free to review
> > the patches there:
> > https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san
> > 
> > Thanks,
> > Fraser
> > 
> > 
> > ___
> > Pki-devel mailing list
> > Pki-devel@redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
> 
> Fraser,
> 
> In order to review this patch, I am going to apply it and make a scratch
> build of Dogtag 10.2.6 on RHEL 7.2 so that Red Hat IT can test it out for
> us.
> 
> If they give us their approval, you can consider yourself granted an ACK on
> this patch and check it into master so that I can cherry-pick it into the
> 10.3 branches.
> 
> -- Matt
> 
> P. S. - FYI, the following conversation took place on #cs today:
> 
> dminnich,walrus: ftweedal has released a patch for
>https://fedorahosted.org/pki/ticket/1710 - Add profile component
>that copies CN to SAN -- if I applied that patch to a 10.3.3
>pki-core for RHEL 7.3, could you guys test it out, or in order to
>test it out, do you need a scratch build of Dogtag 10.2.6 on RHEL
>7.2 like last time?
> mharmsen: having a scratch build of 7.2 would be quickest
> we are just now planning the 7.3 upgrade, which will take
>some time to get into dev
> walrus: okay, I can try to see if I can do that, but
>remember that we will not deliver an official RHEL 7.2 build of RHCS 9.1
> yeah we should be on 7.3 in a month or so... a lot of
>things to test on a lot of servers :)
> csnell|wfh: ^^^
> walrus: completely understood! LOL
> mharmsen: that will be a very welcome patch
> mharmsen: do you happen to know if ACLs work against SANs?
> dminnich: not off the top of my head
> edewata, cfu, jmagne: ^^^?
> that is something on our to investigate list as well
> dminnich: I am going to drop an email to ftweedal, and I
>will ask that question
> mharmsen: no idea about SAN
> mharmsen, don't know
> dminnich, mharmsen , what does that mean?
> cfu: right now we allow only people in LDAP group X to
>issue certs for domains that meet Y regex.  but we don't check
>SANs.  so somebody could CN=blah.devlab.com and get approved but add
>a SAN for www.redhat.com and we don't deny it
> dminnich: where is X & Y defined?
>
>
> https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/templates/ca/profiles/ca/caDirServerCert-pnt-devops-domains.cfg#n12
>
> https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/templates/ca/profiles/ca/caDirServerCert-pnt-devops-domains.cfg#n26
> edewata: ^ some of that might be added by puppet later.but
> thats the gist
> dminnich: ok, it's in profile, not ACL
> authz.acl=group  and constraints
> dminnich, dminnich ah, I see. so it's like a pattern
>constraint just like what we have for subject name now in the
>profile.  Yeah, you can write a constraint plugin for that
> dminnich, anyway, feel free to file a ticket for it.
> cfu: will do
> 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

[Fraser Tweedale]

Hi all,

The attached patches implement the long-desired feature to copy CN
to SubjectAltName (https://fedorahosted.org/pki/ticket/1710).

I've also pushed the branch to my GitHub repo; feel free to review
the patches there:
https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san

Thanks,
Fraser
From 3f913b1857712dd0a962d42f56f29d7faebf244e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 1 Feb 2017 16:15:39 +1000
Subject: [PATCH 151/155] DNSName: add method to get value

To implement a profile default that copies CN to SAN dNSName, we
need to examine existing dNSName values.  To support this, add the
'getValue()' method to 'DNSName'.

Part of: https://fedorahosted.org/pki/ticket/1710
---
 base/util/src/netscape/security/x509/DNSName.java | 8 
 1 file changed, 8 insertions(+)

diff --git a/base/util/src/netscape/security/x509/DNSName.java 
b/base/util/src/netscape/security/x509/DNSName.java
index 
361c23571f423f635e2026c64c7bcf902f5ff3be..2161adf3701a554040ca4afc5b0c39337ed8452a
 100644
--- a/base/util/src/netscape/security/x509/DNSName.java
+++ b/base/util/src/netscape/security/x509/DNSName.java
@@ -79,4 +79,12 @@ public class DNSName implements GeneralNameInterface {
 public String toString() {
 return ("DNSName: " + name);
 }
+
+/**
+ * Get the raw DNSName value.
+ */
+public String getValue() {
+return name;
+}
+
 }
-- 
2.9.3

From aaa8d03d36f31894fed3c8d9c7b5126ac5417774 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 1 Feb 2017 16:17:51 +1000
Subject: [PATCH 152/155] GeneralName: add method to get at inner value

The 'GeneralNameInterface' interface represents a single X.509
General Name value.  Various types are supported.  The 'GeneralName'
class (which also implements 'GeneralNameInterface') is a singleton
container for another 'GeneralNameInterface' value.

To implement a profile component that copies CN to a SAN dNSName, we
need to examine existing General Names in the SAN extension (if
present), to avoid duplicate values.  We can iterate 'GeneralNames',
but if the value is of type 'GeneralName' we need a way to "unwrap"
the value, down to the innermost value which will be of a specific
General Name type.

Add the 'unwrap' method to 'GeneralName'.

Part of: https://fedorahosted.org/pki/ticket/1710
---
 base/util/src/netscape/security/x509/GeneralName.java | 15 +++
 1 file changed, 15 insertions(+)

diff --git a/base/util/src/netscape/security/x509/GeneralName.java 
b/base/util/src/netscape/security/x509/GeneralName.java
index 
a90ac7bf259b519c91bb2f67cf159f7b4178b182..55b5bfcf304c0c8ccf893f9a6ef70d2e5c2ee0e2
 100644
--- a/base/util/src/netscape/security/x509/GeneralName.java
+++ b/base/util/src/netscape/security/x509/GeneralName.java
@@ -196,4 +196,19 @@ public class GeneralName implements GeneralNameInterface {
  constructedForm, (byte) nameType), tmp);
 }
 }
+
+/**
+ * Unwrap this GeneralName until we reach something that is not
+ * a GeneralName.
+ */
+public GeneralNameInterface unwrap() {
+if (this == name)
+return null;  // can't happen, but just in case...
+
+if (name instanceof GeneralName)
+return ((GeneralName) name).unwrap();
+else
+return name;
+}
+
 }
-- 
2.9.3

From 805b2e2d753f86c39af225d13c7614974e10c154 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 1 Feb 2017 16:25:11 +1000
Subject: [PATCH 153/155] SubjectAlternativeNameExtension: add GeneralNames
 getter/setter

To implement a profile default that copies CN to SAN dNSName, we
need to read and set the 'GeneralNames' of the extension.  This can
be done via the 'get' and 'set' methods but this interface is
awkward and requires the caller to deal with exceptions that aren't
fundamental to the get/set actions.

Add the 'setGeneralNames' and 'getGeneralNames' methods.

Part of: https://fedorahosted.org/pki/ticket/1710
---
 .../security/x509/SubjectAlternativeNameExtension.java| 15 +++
 1 file changed, 15 insertions(+)

diff --git 
a/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java 
b/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java
index 
d96c821604308c11723644e8842e1dcc6f224034..82f87e1ef647496353f598a33290d6dcfb5e8f04
 100644
--- a/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java
+++ b/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java
@@ -199,6 +199,21 @@ public class SubjectAlternativeNameExtension extends 
Extension
 }
 
 /**
+ * Set the GeneralNames of this extension.
+ */
+public void setGeneralNames(GeneralNames names) {
+clearValue();
+this.names = names;
+}
+
+/**
+ * Get the GeneralNames of this extension.
+ */
+public GeneralNames getGeneralNames() {
+