#676 Update CRMFPopClient by including ability to control encoding of some subject name components.
Closed: Fixed None Opened 9 years ago by awnuk.

Update CRMFPopClient by including ability to control encoding of some subject name components. Some subject name components like CN, L, ST, O, OU, ... are defined as choice of TeletexString, PrintableString, UniversalString, UTF8String, and BMPString. CRMFPopClient should provide ability to control choice for above subject name components.

This enhancement is require to test solution for ticket #448 aka ​​https://bugzilla.redhat.com/show_bug.cgi?id=883122

https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Command-Line_Tools_Guide/CRMF_Pop_Request.html


Here is a sample of CRMFPopClient command:

CRMFPopClient -p password -d '.' -o 'req.txt' -n 'cn=aa,ou=bb,o=cc'

Option '-n' specifies subject name included in generated certificate request.[[BR]]
All subject name components are encoded with preselected default types.[[BR]]
CRMFPopClient tool for components like: CN, UID, L, ST, OU, and O sets default encoding type to PrintableString.[[BR]][[BR]]
CRMFPopClient tool requires presence of KRA transport certificate placed in transport.txt file which can be extracted from CA's CS.cfg from line including KRA's transport certificate:[[BR]]
ca.connector.KRA.transportCert=...

To keep backwards compatibility with current set of CRMFPopClient parameters, encoding types can be introduced as a prefix to component name value separated by colon from component name value.[[BR]]

Here is an updated CRMFPopClient command sample with subject name including specific encodings for two of its components.

CRMFPopClient -p password -d '.' -k true -o 'req.txt'
              -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'

Above sample command will generate certificate request with subject name 'cn=aa,ou=bb,o=cc', where aa will be encoded as UTF8String, bb as BMPString, and cc as PrintableString.

Here is how to test new option to control encoding of subject name components in request generated by CRMFPopClient:

  • Create test directory and switch to newly created test directory.
  • Create new NSS DB in your new test directory by running the following certutil command[[BR]]certutil -N -d .
  • Create new transport.txt file by extracting KRA's transport certificate from CA's CS.cfg from line including: ca.connector.KRA.transportCert=...
  • Create new request by running the following CRMFPopClient command[[BR]]CRMFPopClient -p <password> -d '.' -k true -o 'req.txt' -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'
  • Remove the following lines from request file 'req.txt'[[BR]]-----BEGIN NEW CERTIFICATE REQUEST-----[[BR]]-----END NEW CERTIFICATE REQUEST-----
  • Convert request from text to binary format by running the following AtoB command:[[BR]]AtoB req1.txt req1.bin
  • Review encoding of subject name components in generated request by running the following dumpasn1 command[[BR]]dumpasn1 req.bin

[[BR]]
Here is a sample result matching CRMFPopClient test command line included in above procedure and also listed below:[[BR]]
CRMFPopClient -p <password> -d '.' -k true -o 'req.txt' -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc' [[BR]]

dumpasn1 req.bin
   0 2210: SEQUENCE {
   4 2206:   SEQUENCE {
   8 1922:     SEQUENCE {
  12    1:       INTEGER 1
  15  342:       SEQUENCE {
  19    1:         [0] 02
  22   43:         [5] {
  24   41:           SEQUENCE {
  26   11:             SET {
  28    9:               SEQUENCE {
  30    3:                 OBJECT IDENTIFIER organizationName (2 5 4 10)
  35    2:                 PrintableString 'cc'
         :                 }
         :               }
  39   13:             SET {
  41   11:               SEQUENCE {
  43    3:                 OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
  48    4:                 BMPString 'bb'
         :                 }
         :               }
  54   11:             SET {
  56    9:               SEQUENCE {
  58    3:                 OBJECT IDENTIFIER commonName (2 5 4 3)
  63    2:                 UTF8String 'aa'
         :                 }
         :               }
         :             }
         :           }
  67  290:         [6] {
  71   13:           SEQUENCE {
  73    9:             OBJECT IDENTIFIER '1 2 840 113549 1 1 1'
  84    0:             NULL
         :             }
  86  271:           BIT STRING, encapsulates {
  91  266:             SEQUENCE {
  95  257:               INTEGER
         :                 00 C2 BB 05 16 83 F7 B4 E7 0D 55 16 29 96 62 5C
         :                 C7 01 22 29 9F 71 82 18 DF FA 56 B2 D6 B0 EE 65
         :                 9D 7C E5 88 BF 29 66 C5 96 A4 B8 23 BC 00 B7 A5
         :                 67 20 60 24 51 DD E3 53 3E 06 63 68 8D 6E 68 99
         :                 3F A2 D6 0D 38 7D 8A 2C B4 FC 00 FC 5C 5D 8F 61
         :                 9C 50 51 DE B9 95 E6 AD 48 E5 D5 79 E6 5F 35 BB
         :                 18 24 C9 EA 8C 17 87 67 2A F5 D9 53 F4 A3 1B 6A
         :                 6C EA 55 2C 4C 12 51 BC 63 CC 75 B3 C7 3D 05 CE
         :                         [ Another 129 bytes skipped ]
 356    3:               INTEGER 65537
         :               }
         :             }
         :           }
         :         }
 361 1569:       SEQUENCE {
 365 1531:         SEQUENCE {
 369    9:           OBJECT IDENTIFIER pkiArchiveOptions (1 3 6 1 5 5 7 5 1 4)
 380 1516:           [0] {
 384 1512:             SEQUENCE {
 388   20:               [1] {
 390    8:                 OBJECT IDENTIFIER '1 2 840 113549 3 7'
 400    8:                 OCTET STRING 01 01 01 01 01 01 01 01
         :                 }
 410  257:               [2]
         :                 00 09 B6 35 B0 C5 23 AF F7 77 CD 41 AD C4 7D 53
         :                 02 D0 29 7E 03 DE A7 56 06 90 8D CB 2C 16 83 47
         :                 87 7C C7 11 CC 84 AD EA 0C F1 42 36 18 D9 A9 4D
         :                 6D F2 F5 74 07 4B 17 08 1B F2 A9 C9 31 30 59 5D
         :                 1C B6 57 C9 B0 E5 9F A5 AD 25 0F 63 F1 65 65 EC
         :                 B8 31 AE 0A B0 AB C6 72 DA 47 88 4F 18 06 4B 62
         :                 77 C9 0D 82 76 9A 3C 2E 21 67 AE 24 91 BF 0B 93
         :                 B3 B3 18 29 67 91 85 5D F5 20 35 DE F2 23 86 44
         :                         [ Another 129 bytes skipped ]
 671 1225:               BIT STRING
         :                 E4 9A 91 78 38 38 F1 23 B2 53 DB 0D CC 0B AD 1C
         :                 46 6E AE F0 04 8D 36 A8 42 BD 7C B3 BE AE D4 F6
         :                 18 EC 8F F1 0A AE B3 5B A0 5C 4F 41 85 86 62 C7
         :                 3D 23 D4 96 C1 6D B6 76 FA FE 83 8F D2 F4 11 F5
         :                 DE 77 C6 0C AB 95 03 79 F0 64 67 83 EF 00 72 AE
         :                 EC 03 0E 03 8D F5 9A AD AF A2 2E AD 0F 8F 94 53
         :                 3F B9 3C B8 E5 89 80 88 CE DC E7 DE 0D 50 E9 22
         :                 1D 62 6B AB 01 2C 7E BB 1B 66 0E 78 C3 1B BD 43
         :                         [ Another 1096 bytes skipped ]
         :               }
         :             }
         :           }
1900   32:         SEQUENCE {
1902    8:           OBJECT IDENTIFIER '1 3 6 1 5 5 7 7 23'
1912   20:           OCTET STRING
         :             E6 69 C9 5F 2E FF A4 90 AE 73 E6 44 CC 3F 9E 1D
         :             96 77 9C 50
         :           }
         :         }
         :       }
1934  276:     [1] {
1938   13:       SEQUENCE {
1940    9:         OBJECT IDENTIFIER '1 2 840 113549 1 1 4'
1951    0:         NULL
         :         }
1953  257:       BIT STRING
         :         22 9F 75 37 DD BC B0 0C 5C 53 5A 85 D4 0A 51 9A
         :         F6 0E 90 42 55 CC 45 58 29 B0 B0 92 D3 B1 68 14
         :         95 B3 99 16 6C 30 1A 08 92 40 F9 2E 13 74 5A CA
         :         D9 E3 54 FA F7 3B B9 36 46 FE 6A C1 0C 98 41 91
         :         76 26 E1 7E E1 BD D9 4B 88 D0 02 81 01 67 21 A6
         :         5E 2F 19 67 BC 12 8D FC 0E 63 47 AB EB 70 BE 6E
         :         59 D4 DB 48 E5 93 F5 CC 1A 7F 9F 2B FC 44 46 2A
         :         C8 C3 6D 7F 67 C2 DD 03 95 2A BD D7 57 05 63 91
         :                 [ Another 128 bytes skipped ]
         :       }
         :     }
         :   }
git push
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (9/9), 1.75 KiB, done.
Total 9 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   b60f640..8c635c6  master -> master

Metadata Update from @awnuk:
- Issue assigned to awnuk
- Issue set to the milestone: 10.1 - 08/13 (August)

5 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1245

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata