#677 Update PKCS10Client by including ability to control encoding of some subject name components.
Closed: Fixed None Opened 9 years ago by awnuk.

Update PKCS10Client by including ability to control encoding of some subject name components. Some subject name components like CN, L, ST, O, OU, ... are defined as choice of TeletexString?, PrintableString?, UniversalString?, UTF8String, and BMPString. PKCS10Client should provide ability to control choice for above subject name components.

This enhancement is require to test solution for ticket #448 aka ​​​https://bugzilla.redhat.com/show_bug.cgi?id=883122

https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Command-Line_Tools_Guide/PKCS_10_Client.html


Here is a sample of PKCS10Client command:

PKCS10Client -p password -d '.' -o 'req.txt' -n 'cn=aa,ou=bb,o=cc'

Option '-n' specifies subject name included in generated certificate request.[[BR]]
All subject name components are encoded with preselected default types.[[BR]]
PKCS10Client tool for components like: CN, UID, L, ST, OU, and O sets default encoding type to PrintableString.[[BR]]

To keep backwards compatibility with current set of PKCS10Client parameters, encoding types can be introduced as a prefix to component name value separated by colon from component name value.[[BR]]

Here is an updated PKCS10Client command sample with subject name including specific encodings for two of its components.

PKCS10Client -p password -d '.' -k true -o 'req.txt'
             -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'

Above sample command will generate certificate request with subject name 'cn=aa,ou=bb,o=cc', where aa will be encoded as UTF8String, bb as BMPString, and cc as PrintableString.

Here is how to test new option to control encoding of subject name components in request generated by PKCS10Client:

  • Create test directory and switch to newly created test directory.
  • Create new NSS DB in your new test directory by running the following certutil command[[BR]]certutil -N -d .
  • Create new request by running the following PKCS10Client command[[BR]]PKCS10Client -p <password> -d '.' -k true -o 'req.txt' -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'
  • Remove the following lines from request file 'req.txt'[[BR]]-----BEGIN NEW CERTIFICATE REQUEST-----[[BR]]-----END NEW CERTIFICATE REQUEST-----
  • Convert request from text to binary format by running the following AtoB command:[[BR]]AtoB req1.txt req1.bin
  • Review encoding of subject name components in generated request by running the following dumpasn1 command[[BR]]dumpasn1 req.bin

[[BR]]
Here is a sample result matching PKCS10Client test command line included in above procedure and also listed below:[[BR]]
PKCS10Client -p <password> -d '.' -o 'req.txt' -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc' [[BR]]

dumpasn1 req.bin
  0 658: SEQUENCE {
  4 378:   SEQUENCE {
  8   1:     INTEGER 0
 11  41:     SEQUENCE {
 13  11:       SET {
 15   9:         SEQUENCE {
 17   3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 22   2:           PrintableString 'cc'
       :           }
       :         }
 26  13:       SET {
 28  11:         SEQUENCE {
 30   3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
 35   4:           BMPString 'bb'
       :           }
       :         }
 41  11:       SET {
 43   9:         SEQUENCE {
 45   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 50   2:           UTF8String 'aa'
       :           }
       :         }
       :       }
. . .
git push
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (9/9), 1.76 KiB, done.
Total 9 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   8c101dc..b60f640  master -> master

Metadata Update from @awnuk:
- Issue assigned to awnuk
- Issue set to the milestone: 10.1 - 08/13 (August)

5 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1246

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata