Workaround for certmonger's "Subject" representations

If an OpenSSL certificate is requested in Certmonger (CERT_STORAGE == "FILE") the "Subject" field of such Certificate is ordered as received. However, when an NSS certificate is requested, the "Subject" field takes the LDAP order (components get reversed). This is a workaround so that the behavior stays the same. The workaround should be removed when https://pagure.io/certmonger/issue/62 gets fixed. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
freeipa · Mar 1, 2017 · 595f9b6 · 595f9b6
1 parent 76e8d7b
commit 595f9b6
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -35,6 +35,9 @@ import base64
 import contextlib
 import json
 
+from cryptography import x509 as crypto_x509
+from cryptography.hazmat.backends import default_backend
+
 import six
 
 from ipapython import ipautil
@@ -64,8 +67,15 @@ if six.PY3:
 
 IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
 
+
 def get_nickname():
-    subject = os.environ.get('CERTMONGER_REQ_SUBJECT')
+    # we need to get the subject from a CSR in case we are requesting
+    # an OpenSSL certificate for which we have to reverse the order of its DN
+    # components thus changing the CERTMONGER_REQ_SUBJECT
+    # https://pagure.io/certmonger/issue/62
+    csr = os.environ.get('CERTMONGER_CSR')
+    csr_obj = crypto_x509.load_pem_x509_csr(csr, default_backend())
+    subject = csr_obj.subject
     if not subject:
         return None
 

diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
@@ -32,6 +32,7 @@
 import tempfile
 from ipalib import api
 from ipapython.ipa_log_manager import root_logger
+from ipapython.dn import DN
 from ipaplatform.paths import paths
 from ipaplatform import services
 
@@ -329,6 +330,10 @@ def request_cert(
     """
     if storage == 'FILE':
         certfile, keyfile = certpath
+        # This is a workaround for certmonger having different Subject
+        # representation with NSS and OpenSSL
+        # https://pagure.io/certmonger/issue/62
+        subject = str(DN(*reversed(DN(subject))))
     else:
         certfile = certpath
         keyfile = certpath